Configure & Install a Premium SSL Certificate

This article will generate, configure & install a DigiCert Premium SSL DV Certificate on a VPS on ArkHost. (Debian 10 with Apache2)
SSL Certificate in the example shown below will be generated for arkhost.org
 
Prerequisites:
  • A valid A record
  • Valid Email address for Approval (within the domain is a requirement)
 
You must have a valid "CSR" (Certificate Signing Request) to configure your SSL Certificate. The CSR is an encrypted piece of text generated by the webserver where the SSL Certificate will be installed. If you do not already have a CSR, you must generate one or ask your web hosting provider to develop one for you.
 
First, let's connect to our Cloud Server over SSH (as shown in this article) as it will be easier to copy-paste the information provided and edit where needed.

Generate the CSR:

openssl req -new -newkey rsa:2048 -nodes -keyout arkhost.key -out arkhost.csr
Enter the requested information:
  • Common Name: The fully-qualified domain name, or URL, you're securing.
  • If you are requesting a Wildcard certificate, add an asterisk (*) to the left of the common name where you want the wildcard, for example, *.coolexample.com.
  • Organization: The legally-registered name for your business. If you are enrolling as an individual, enter the certificate requestor's name.
  • Organization Unit: If applicable, enter the DBA (doing business as) name.
  • City or Locality: Name of the city where your organization is registered/located. Do not abbreviate.
  • State or Province: Name of the state or province where your organization is located. Do not abbreviate.
  • Country: The two-letter International Organization for Standardization (ISO) format country code for where your organization is legally registered.
 
A arkhost.csr file will be generated; we need to open the file for reading and copy the content to past into the CSR field on the ArkHost client area, Certificate Configuration window.

less arkhost.csr

Copy all the content between BEGIN & END where "..." is the content.

-----BEGIN CERTIFICATE REQUEST-----

...

-----END CERTIFICATE REQUEST-----
 
Assuming you have ordered a DigiCert PremiumSSL Certificate on ArkHost, log in to the client area.

The configuration status is Awaiting Configuration, Click on Configure Now

 

Step 1:

Select Apache + ModSSL (in our case) or any other configuration that suits your setup.
 
In the CSR field, paste the content we copied from the arkhost.csr.
Scroll down, review the Administrative Contact Information and click the "Click to Continue >>" button.
 
Step 2:
 
Select the approved email address, as this email address can only be below the owner of the domain itself; this is a Domain Validation (DV) certificate.

Click on Continue

Step 3:
 
You will receive a Configuration Complete notification on the screen and also receive an email for approval.
 
Follow the "View the details and complete the request here (link is valid for 30 days)" and click the Approve button.

 

You can verify this on the Certificate's Product Details page.
 
At this point, you will receive an email from DigiCert with a .pem file attached to it.
But we cannot use this file format. Instead, we need to use the Guest access from the email received using the address and order number/certificate FQDN to login.
 
When logged in to the DigiCert Guest access portal, you can easily download the .crt to configure into your website's apache configuration.
 

Assuming you've uploaded the 2 .crt files from the .zip archive to the /etc/ssl/arkhost.org/ directory on your Cloud server.
We can start editing or adding the <VirtualHost *:443> directive to correctly point to our SSL Certificate and key file (initially generated when created the CSR at the very beginning of this article) as shown below.
 
<VirtualHost *:443>

DocumentRoot /var/www/arkhost.org

SSLEngine on

SSLCertificateFile /etc/ssl/arkhost.org/arkhost_org.crt

SSLCertificateKeyFile /etc/ssl/arkhost.org/arkhost.key

SSLCertificateChainFile /etc/ssl/arkhost.org/arkhost_org.DigiCertCA.crt

</VirtualHost>
In our case, certificates were handled by Certbot (Let's Encrypt), which was installed with snap. To remove it:
snap remove certbot
 
+ Remove the Cron job to automatically handle certificate renewal by commenting out the line by adding the '#' in front of it.
 
# m h dom mon dow command

#43 6 * * * certbot renew --post-hook "systemctl reload apache2"
 
Run the following command to test your configuration file (on some systems, it's apache2ctl):
apachectl configtest
 

Restart Apache:

You can use apachectl commands to stop and start Apache with SSL support.
apachectl stop

apachectl start

Testing Your SSL/TLS Certificate Installation

Browser Test
  1. For best results, make sure to close your web browser first and then re-launch it.
  2. Visit your site with the secure HTTPS URL (i.e., go to https://www.example.com, not http://www.example.com).
  3. Be sure to test your site with more than just Internet Explorer. IE downloads missing intermediate certificates; whereas, other browsers give an error if all the certificate chain certificates aren't installed properly.
 
If you need to disable SSL version 2 compatibility to meet PCI Compliance requirements, add the following directive to your Apache configuration file:
 
SSLCipherSuite HIGH:+MEDIUM:!SSLv2:!EXP:!ADH:!aNULL:!eNULL:!NULL
If the directive already exists, you may need to modify it to disable SSL version 2.
 
  • 66 Users Found This Useful
Was this answer helpful?