Wildcard SSL installation for multiple subdomains on a single VM

From ATI Chennai IT and ITES Wiki

Jump to: navigation, search

Contents

Wildcard SSL

  • If you’re looking for a Wildcard SSL/TLS Certificate, I think you already might be aware of how useful it can be when comes to securing multiple subdomains without having a different certificate issued for each of them.
  • It’s one of the reasons why Wildcard SSL/TLS certificates are chosen by big organizations as well.
  • Wildcard SSL/TLS certificate is also advantageous to secure subdomains that are on multiple servers.
  • It helps secure all the sub-domains via a single Wildcard SSL/TLS certificate.
  • For instance, you can secure subdomains hosted and managed through different departments which can improve efficiency such as, blog (blog.exampledomain.com) through WordPress host, support page (support.exampledomain.com) through the third-party helpdesk vendor and billing page (billing.exampledomain.com) via accounting company on some other server while directing your website visitors directly to subdomains without making them visit through the home page.

How to Generate wildcard CSR

How to generate CSR

Steps to install / Enable SSL certificate on Ubuntu using Apache

Step 1: Copy the Certificate Files

To get started, copy the primary (yourdomain.crt) and intermediate certificate (abcCA.crt) files into your Ubuntu server directory where you intend to store all your certificate and key files. ( eg /etc/apache2/ssl/ and key file in /etc/apache2/ss;/private/ folder)


Step 2: Edit Apache .config File

(1) Normally, you can find Ubuntu’s Apache configuration file for your SSL site in/etc/apache2/sites-enabled/your_site_name (default files are : 000-default.conf and default-ssl.conf). you can duplicate and rename it as per your domain name (normally it is located at */etc/apache2/sites-available/*

(2) But, if you don’t find that .config file in the ‘sites-enabled’ folder, you need to run the command *sudo a2ensite your_site_name.conf"*

(3) After locating the file, open it using any text editor

Note: To access your website with both secured HTTPS and non-secured HTTP, you must need two separate files on your …/sites-enabled/ folder. One file will be for port 80 and the other for port 443.

(4) To make your site accessible only with a secure protocol, you need to configure the Virtual Host block.

Step 3: Configuration of Virtual Host block

Your ‘Virtual Host’ block will look similar to the following image:

Virtual Host File

(1) In virtual host block, you need to configure an SSL certificate file, key file and chain file.

(2) Now, adjust the following file names as per your SSL certificate and make the changes accordingly:

(i) SSLCertificateFile: Your certificate file (yourdomain.crt)

(ii) SSLCertificateKeyFile: Your key file(generated during CSR-creation) - Private key

(iii) SSLCertificateChainFile: The intermediate certificate file (CA.crt)

Note: Try using SSLCACertificateFile instead, if the SSLCertificateFile directive doesn’t work.


Save the data once you are done editing the VirtualHostblock.


Case Study 1: Single domain redirection from http to https

File name :  rdsdegujarat.dgt.gov.in.conf   (for http)

Contents :

-----------------------------------------------
<VirtualHost *:80>
    ServerName   rdsdegujarat.dgt.gov.in
    ServerAlias  www.rdsdegujarat.dgt.gov.in
    DocumentRoot /home/rdsdegujarat/www
    <Directory /home/rdsdegujarat/www>
     Options FollowSymLinks
AllowOverride None
Require all granted
    </Directory>

#This following line redirect /force to redirect to https

Redirect permanent / https://rdsdegujarat.dgt.gov.in/

</VirtualHost>

File name :  rdsdegujarat.dgt.gov.in-ssl.conf   (for https)

IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin webmaster@localhost

ServerName   rdsdegujarat.dgt.gov.in
    ServerAlias  www.rdsdegujarat.dgt.gov.in
    DocumentRoot /home/rdsdegujarat/www
    <Directory /home/rdsdegujarat/www>
  Options FollowSymLinks
AllowOverride None
Require all granted
           </Directory>


#DocumentRoot /var/www/html

# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf

#   SSL Engine Switch:
#   Enable/Disable SSL for this virtual host.
SSLEngine on
SSLCertificateFile /etc/ssl/yourdomain.crt
SSLCertificateKeyFile /etc/ssl/private/private.key
SSLCertificateChainFile /etc/ssl/certCA.crt

<div
</div>

SSLProtocol all -SSLv2 -SSLv3



<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>

<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>

</VirtualHost>

</IfModule>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
---------------------------------------------------------------------------------------------


The above configuration will be fine for indidivial domains with separate .conf file for each domain.
For http to https : 
Redirect permanent / https://rdsdegujarat.dgt.gov.in/&nbsp;  

But if you want a single solution to force app, the create or edit .htaccess file in the root folder of the website folder.
Add the following lines

RewriteEngine On
# redirect http to https
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Ensure to restart the apache server :
1) service apache2  restart
2) apachectl configtest



To check whether SSL certificate is installed and working properly

Refernce:



SSL Instalation

  • Step 1: Generate CSR
  • Step 2 : Download Certificate
Personal tools