More and more websites are now using a SSL access for their visitors. It’s becoming the industry standard. Using CloudFlare is an excellent compromise.
SSL certificates can be issued for a very low price. At wp2pgpmail, we were used to get our certificates at SSLs.com. Maybe you have also heard about Let’s Encrypt which delivers SSL certificates for free.
The main problem with paid certificates and free certificates by Let’s Encrypt is that they are delivered for a limited time. For the paid ones, there is a small fee every year. For the free ones, lifetime is only 90 days.
So every year, or a couple of years if you are lazy like us, you will need to reissue a new certificate for your website. If you have chosen the Let’s Encrypt solution, you will need to set up the process to replace your certificate automatically; you will have to create a special access to Let’s Encrypt to check that your website is still alive. A bit constraining…
If your website is already on CloudFlare, you will love the solution with their Origin Certificate.
- It’s free
- It’s a wildcard certificate, that means that you can use it for any sub domain
- It can be delivered for up to 15 years!
- All your sub domains must have the CloudFlare protection enabled
- Your data is not private related to CloudFlare
If it’s acceptable for your business, here the instructions to use this solution.
Generate your private key and the certificate request on your server
From your server, type the following command:
openssl req -nodes -newkey rsa:2048 -keyout /etc/ssl/private/example.com.key -out /tmp/example.com.csr
Country Name (2 letter code) [AU]: US State or Province Name (full name) [Some-State]: NY Locality Name (eg, city) : New York Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) : Common Name (eg, YOUR name) : *.example.com Email Address : A challenge password : An optional company name :
Copy your certificate request on CloudFlare and create the certificate
From the Crypto tab on your CloudFlare dashboard, click on Create Certificate:
Paste the content of /tmp/example.com.csr:
Your Origin Certificate will be automatically generated:
You will need to copy the content of the certificate in this new following file:
Your certificate is now ready to use!
Edit your Apache VirtualHost configuration
Your Apache configuration has to look like this:
<VirtualHost *:443> SSLEngine on SSLCertificateFile /etc/ssl/certs/example.com.pem SSLCertificateKeyFile /etc/ssl/private/example.com.key ServerName www.example.com ServerAdmin [email protected] DocumentRoot /var/www/example_root <Directory /> Options FollowSymLinks AllowOverride All SSLRequireSSL </Directory> ErrorLog /var/log/apache2/error.log LogLevel warn LogFormat "%v %h %l %u %t \"%r\" %>s %b" comonvhost CustomLog /var/log/apache2/access.log comonvhost </VirtualHost>
Then, restart your Apache server.