Thought it could be helpful to document my process for installing an SSL certificate for a subdomain (not wildcard) on a LAMP stack (which happens to be an EC2 instance on AWS). Worth noting is this is not going through a load balancer or firewall, whereby further considerations may be required. The following is my flow.
The first step was to create the CSR file that is used in the purchasing of the certificate. I used the OpenSSL CSR Creation tool, which acts like a wizard for creating a "Certificate Signing Request" file.
This wizard basically gives you a shell command you need to execute; something like:
openssl req -new -newkey rsa:2048 -nodes -out subdomain_domain_com.csr -keyout subdomain_domain_com.key -subj "/C=US/ST=Texas/L=Las Colinas/O=Initech/OU=HR/CN=subdomain.domain.com"
Executing that will create two files;
subdomain_domain_com.key. The CSR file is used to purchase in the following
step; the KEY file is used in securing your server by signing it with the
key/string contained in it.
The flow is going to be different for everyone depending on how you purchase it, but you will provide the CSR file you created in the previous step.
Your provider will respond with a CSR file of their own, which contains a string/key/passphrase in it. You will use this in your Apache configuration.
Depending on your provider, you may also be asked to install a Chain Certificate file. This is just an extra declaration in your virtual host (discussed below), so it's not more complicated really.
You now have 2 files (or 3 if you were given a chain certificate as well) with strings in them. To setup your virtual host, use the following as an example:
<VirtualHost *:443> ServerName subdomain.domain.com DocumentRoot /var/www/project/webroot SSLENGINE on SSLCertificatekeyFile /etc/apache2/keys/subdomain_domain_com.key SSLCertificateFile /etc/apache2/crts/subdomain_domain_com.crt SSLCertificateChainFile /etc/apache2/crts/chain.crt </VirtualHost>
Worth noting here, is that the original CSR file that was created via the
openssl command isn't required. It was only needed when purchasing the
certificate originally. The
subdomain_domain_com.crt file being referenced
above is the file that the certificate authority provided.
Also, originally I had the virtual host operating on port 80, which led to the error message:
Invalid method in request x16x03
Switching this to 443 resolved the issue. As I understand it, that error arrises (naturally) when the browser is attempting to speak securely with a server, but the server is responding unsecured. Makes sense.
The article How is the L1C Chain Certificate installed in Apache (OpenSSL) helped tremendously as a starting point. I'll follow up with more details if something else comes to light, but it was a nice learning experience seeing as it's the first time I've installed an SSL certificate.