[Linux] SSL Certificates, Private Keys and CSRs with OpenSSL

OpenSSL is an open-source implementation of the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS) protocols.

Generate a Private Key and a CSR
This begins the process of generating two files: the Private-Key file for the decryption of your SSL Certificate, and a certificate signing request (CSR) file (used to apply for your SSL Certificate).
# openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr

Generating SSL Certificates
If we would like to use an SSL certificate to secure a service but we do not require a CA-signed certificate, a valid (and free) solution is to sign your own certificates. We can Generate a Self-Signed Certificate from an Existing Private Key that we create before. This command creates a self-signed certificate (server.crt) from an existing private key (server.key).

# openssl req -key server.key -new -x509 -days 1095 -out server.crt

The -x509 option tells req to create a self-signed cerificate. The -days 1095 option specifies that the certificate will be valid for 1095 days (3 Years). A temporary CSR is generated to gather information to associate with the certificate.

[Apache] Redirect HTTP To HTTPS

If we want to redirect our web site to always be sent over SSL (HTTP TO HTTPS). We can do this :

1. Using Virtual Host
Just add this into apache config

<VirtualHost *:80>
    ServerName example.com
    Redirect / https://example.com/

<VirtualHost _default_:443>
   ServerName secure.example.com
   DocumentRoot /usr/local/apache2/htdocs
   SSLEngine On
# etc...

2. Using .htaccess

Redirect permanent /login https://mysite.example.com/login

3. Using mod_rewrite
This config can be used on .htaccess or httpd.conf

RewriteEngine On
# This will enable the Rewrite capabilities

RewriteCond %{HTTPS} !=on
# This checks to make sure the connection is not already HTTPS

RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
# This rule will redirect users from their original location, to the same location but using HTTPS.