`n

SSL Certificate Installation - Complete Guide

Published: September 25, 2024 | Reading time: 20 minutes

SSL Certificate Overview

SSL/TLS certificates provide encrypted communication and authentication:

SSL Benefits 
# SSL/TLS Benefits
- Data encryption
- Server authentication
- Data integrity
- SEO benefits
- Browser trust
- PCI compliance
- User confidence

Certificate Types

Certificate Categories

Validation Levels

  • DV (Domain Validated)
  • OV (Organization Validated)
  • EV (Extended Validated)

Certificate Types

  • Single Domain
  • Wildcard
  • Multi-Domain (SAN)
  • Unified Communications

Let's Encrypt Setup

Certbot Installation

Certbot Installation 
# Ubuntu/Debian Installation
sudo apt update
sudo apt install snapd
sudo snap install core; sudo snap refresh core
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot

# CentOS/RHEL Installation
sudo yum install epel-release
sudo yum install certbot python3-certbot-nginx

# Manual Installation
wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto
sudo ./certbot-auto

# Verify Installation
certbot --version

# Test Certificate (Dry Run)
sudo certbot certonly --dry-run -d example.com

Nginx SSL Configuration

Nginx SSL Setup 
# Obtain SSL Certificate
sudo certbot --nginx -d example.com -d www.example.com

# Manual Certificate Installation
# 1. Obtain certificate
sudo certbot certonly --webroot -w /var/www/html -d example.com

# 2. Configure Nginx
sudo nano /etc/nginx/sites-available/example.com

# Nginx SSL Configuration
server {
    listen 80;
    server_name example.com www.example.com;
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl http2;
    server_name example.com www.example.com;
    
    # SSL Configuration
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    
    # SSL Security Settings
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;
    
    # HSTS
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    
    # Security Headers
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    
    root /var/www/html;
    index index.html index.htm;
    
    location / {
        try_files $uri $uri/ =404;
    }
}

# Test Configuration
sudo nginx -t
sudo systemctl reload nginx

Apache SSL Configuration

Apache SSL Setup

Apache SSL Configuration 
# Install Apache SSL Module
sudo apt install apache2
sudo a2enmod ssl
sudo a2enmod rewrite
sudo systemctl restart apache2

# Obtain SSL Certificate
sudo certbot --apache -d example.com -d www.example.com

# Manual Apache Configuration
sudo nano /etc/apache2/sites-available/example.com.conf

# Apache SSL Configuration

    ServerName example.com
    ServerAlias www.example.com
    Redirect permanent / https://example.com/



    ServerName example.com
    ServerAlias www.example.com
    DocumentRoot /var/www/html
    
    # SSL Configuration
    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
    SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem
    
    # SSL Security Settings
    SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384
    SSLHonorCipherOrder off
    SSLSessionTickets off
    
    # Security Headers
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
    Header always set X-Frame-Options DENY
    Header always set X-Content-Type-Options nosniff
    Header always set X-XSS-Protection "1; mode=block"
    
    
        AllowOverride All
        Require all granted
    


# Enable Site
sudo a2ensite example.com.conf
sudo systemctl reload apache2

Commercial Certificates

Certificate Purchase

Commercial Certificate Setup 
# Certificate Authority Options
# Popular CAs:
- DigiCert (premium)
- Sectigo (Comodo)
- GlobalSign
- Entrust
- GoDaddy
- Namecheap

# Certificate Request Process
# 1. Generate Private Key
openssl genrsa -out example.com.key 2048

# 2. Generate Certificate Signing Request (CSR)
openssl req -new -key example.com.key -out example.com.csr

# CSR Information Required:
Country Name: US
State: California
City: San Francisco
Organization: Your Company
Organizational Unit: IT Department
Common Name: example.com
Email: admin@example.com

# 3. Submit CSR to CA
# Upload CSR to certificate authority
# Complete domain validation
# Download certificate files

# 4. Install Certificate
# Certificate file: example.com.crt
# Intermediate certificate: intermediate.crt
# Root certificate: root.crt
# Private key: example.com.key

# Nginx Configuration with Commercial Certificate
server {
    listen 443 ssl http2;
    server_name example.com;
    
    ssl_certificate /etc/ssl/certs/example.com.crt;
    ssl_certificate_key /etc/ssl/private/example.com.key;
    
    # Include intermediate certificate
    ssl_trusted_certificate /etc/ssl/certs/intermediate.crt;
    
    # SSL Configuration
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512;
    ssl_prefer_server_ciphers off;
    
    # Security Headers
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
}

Wildcard Certificates

Wildcard SSL Setup

Wildcard Certificate Configuration 
# Let's Encrypt Wildcard Certificate
# Requires DNS validation
sudo certbot certonly --manual --preferred-challenges dns -d "*.example.com" -d example.com

# DNS Challenge Process:
# 1. Certbot provides TXT record
# 2. Add TXT record to DNS
# 3. Wait for propagation
# 4. Press Enter to continue

# Example DNS Record:
_acme-challenge.example.com. TXT "abc123def456ghi789"

# Wildcard Certificate Files:
# /etc/letsencrypt/live/example.com/fullchain.pem
# /etc/letsencrypt/live/example.com/privkey.pem

# Nginx Wildcard Configuration
server {
    listen 443 ssl http2;
    server_name *.example.com;
    
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    
    # SSL Configuration
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512;
    ssl_prefer_server_ciphers off;
    
    # Dynamic server name handling
    if ($host = "api.example.com") {
        proxy_pass http://backend-api;
    }
    
    if ($host = "blog.example.com") {
        proxy_pass http://backend-blog;
    }
    
    root /var/www/html;
    index index.html;
}

Certificate Renewal

Automatic Renewal

Certificate Renewal Setup 
# Let's Encrypt Auto-Renewal
# Certificates expire every 90 days
# Automatic renewal setup

# Test Renewal
sudo certbot renew --dry-run

# Manual Renewal
sudo certbot renew

# Automatic Renewal Script
sudo nano /etc/cron.d/certbot-renewal

# Cron Job (runs twice daily)
0 12 * * * root /usr/bin/certbot renew --quiet --post-hook "systemctl reload nginx"
0 0 * * * root /usr/bin/certbot renew --quiet --post-hook "systemctl reload nginx"

# Systemd Timer (alternative)
sudo systemctl enable certbot.timer
sudo systemctl start certbot.timer

# Check Timer Status
sudo systemctl status certbot.timer

# Renewal Hook Script
sudo nano /etc/letsencrypt/renewal-hooks/post/reload-nginx.sh

#!/bin/bash
systemctl reload nginx
systemctl reload apache2

# Make executable
sudo chmod +x /etc/letsencrypt/renewal-hooks/post/reload-nginx.sh

# Certificate Monitoring
# Check certificate expiration
openssl x509 -in /etc/letsencrypt/live/example.com/cert.pem -text -noout | grep "Not After"

# Automated monitoring script
#!/bin/bash
CERT_PATH="/etc/letsencrypt/live/example.com/cert.pem"
DAYS_UNTIL_EXPIRY=$(openssl x509 -in $CERT_PATH -text -noout | grep "Not After" | cut -d: -f2- | xargs -I {} date -d {} +%s)
CURRENT_DATE=$(date +%s)
DAYS_LEFT=$(( ($DAYS_UNTIL_EXPIRY - $CURRENT_DATE) / 86400 ))

if [ $DAYS_LEFT -lt 30 ]; then
    echo "Certificate expires in $DAYS_LEFT days"
    # Send alert email
    mail -s "SSL Certificate Expiring Soon" admin@example.com << EOF
Certificate for example.com expires in $DAYS_LEFT days.
Please renew the certificate.
EOF
fi

SSL Security

Security Configuration

SSL Security Best Practices 
# SSL Security Configuration
# Nginx SSL Security
server {
    listen 443 ssl http2;
    
    # SSL Protocols (disable old versions)
    ssl_protocols TLSv1.2 TLSv1.3;
    
    # SSL Ciphers (strong encryption only)
    ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305;
    ssl_prefer_server_ciphers off;
    
    # SSL Session Configuration
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;
    ssl_session_tickets off;
    
    # OCSP Stapling
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;
    
    # Security Headers
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
    add_header X-Frame-Options DENY always;
    add_header X-Content-Type-Options nosniff always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline';" always;
}

# SSL Grade Testing
# Test SSL configuration:
# https://www.ssllabs.com/ssltest/
# https://www.howsmyssl.com/
# https://www.sslshopper.com/ssl-checker.html

# SSL Security Checklist:
# - Use TLS 1.2 or higher
# - Disable weak ciphers
# - Enable HSTS
# - Use OCSP stapling
# - Implement security headers
# - Regular certificate renewal
# - Monitor certificate expiration

Load Balancer SSL

SSL Termination

Load Balancer SSL Configuration 
# Nginx Load Balancer SSL
upstream backend {
    server 192.168.1.100:3000;
    server 192.168.1.101:3000;
    server 192.168.1.102:3000;
}

# SSL Termination at Load Balancer
server {
    listen 443 ssl http2;
    server_name example.com;
    
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    
    # SSL Configuration
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512;
    ssl_prefer_server_ciphers off;
    
    # Proxy to backend servers
    location / {
        proxy_pass http://backend;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

# SSL Passthrough (HAProxy)
frontend https_frontend
    bind *:443 ssl crt /etc/ssl/certs/example.com.pem
    mode http
    default_backend backend_servers

backend backend_servers
    mode http
    balance roundrobin
    server web1 192.168.1.100:3000 check
    server web2 192.168.1.101:3000 check
    server web3 192.168.1.102:3000 check

Troubleshooting

Common SSL Issues

SSL Troubleshooting 
# SSL Troubleshooting Commands
# Check certificate details
openssl x509 -in /etc/letsencrypt/live/example.com/cert.pem -text -noout

# Check certificate expiration
openssl x509 -in /etc/letsencrypt/live/example.com/cert.pem -noout -dates

# Test SSL connection
openssl s_client -connect example.com:443 -servername example.com

# Check certificate chain
openssl s_client -connect example.com:443 -showcerts

# Verify certificate installation
curl -I https://example.com

# Check SSL configuration
nmap --script ssl-enum-ciphers -p 443 example.com

# Common SSL Issues:
# 1. Certificate not trusted
#    - Missing intermediate certificate
#    - Incorrect certificate chain
#    - Wrong certificate file

# 2. Certificate expired
#    - Check expiration date
#    - Renew certificate
#    - Update renewal automation

# 3. Domain mismatch
#    - Certificate doesn't match domain
#    - Wrong certificate installed
#    - Multiple domains not covered

# 4. SSL protocol errors
#    - Old SSL/TLS versions
#    - Weak ciphers
#    - Missing security headers

# 5. Mixed content
#    - HTTP resources on HTTPS page
#    - Update all links to HTTPS
#    - Use relative URLs

# SSL Debugging Tools:
# - SSL Labs SSL Test
# - Qualys SSL Test
# - SSL Shopper SSL Checker
# - Mozilla SSL Configuration Generator

Best Practices

SSL Management

SSL Best Practices

  • Use strong encryption
  • Enable HSTS
  • Implement security headers
  • Regular certificate renewal
  • Monitor certificate expiration
  • Use OCSP stapling
  • Test SSL configuration

Common Mistakes

  • Weak SSL configuration
  • Missing security headers
  • No certificate monitoring
  • Mixed content issues
  • Incorrect certificate chain
  • No automatic renewal
  • Poor SSL grade

Summary

SSL certificate installation involves several key components:

  • Certificate Types: DV, OV, EV, wildcard certificates
  • Let's Encrypt: Free certificates, automatic renewal
  • Web Server Config: Nginx, Apache SSL setup
  • Commercial Certificates: Premium features, validation
  • Wildcard Certificates: Multiple subdomains
  • Renewal: Automatic renewal, monitoring
  • Security: Strong encryption, security headers
  • Load Balancers: SSL termination, passthrough

Need More Help?

Struggling with SSL certificate installation or need help securing your website? Our security experts can help you implement proper SSL/TLS configuration.

Get SSL Help