Let's Encrypt is free and easy SSL certificates for the almost- masses. Through a few simple commands, you'll have free domain validated SSL certificates.
Let's Encrypt also offers free wildcard ssl certifcates, if you have a supported DNS provider. Sadly I don't, yet. (GratisDNS)
This approach assumes you already have a web server with root or admin access. If you don't have a web server already, feel free to take a look at the server and web server setup guides.
Go to: https://certbot.eff.org and select your software and server. Follow the customized installation guide.
You're new ready to start creating certificates.
Run this command to create your first certificate:
sudo certbot --apache certonly
This will ask you which domain to include in the certificate. It will then generate and install the certificate on your server. When the process ends, certbot will tell you the exact location of your new certificate. You'll need this to enable the certificate in Apache.
Note: the certificate expire after 90 day - remember to set up automatic renewal. It's easy.
Enable certificates in Apache
If you created your new certificate successfully, you now have all the certificate files on your server, but you need to tell Apache to use these certificates when your sites are visited.
This is done in the VirtualHost configuration for each site. If you already had an SSL certificate on your server, you just need to update two lines in your configuration:
If you did not have an SSL certificate, you'll need to enable SSL for the individual VirtualHosts as well. You can do that by adding these lines:
SSLEngine on SSLCertificateFile /etc/letsencrypt/live/#your-cert-path#/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/#your-cert-path#/privkey.pem SSLProtocol all -SSLv2 -SSLv3
Header always add Strict-Transport-Security "max-age=15768000"
Now restart Apache and you're ready to go https.
To delete certificate:
sudo certbot delete
This will give you the option to choose which certificate to delete.
To renew cetificates
First test your setup by running this test command:
sudo certbot renew --dry-run
If it succeeds then you can add the automatic renewal command to your root crontab:
certbot -q renew
Certificates are only renewed if they are less than 30 days from expiry, so I recommend you run the cronjob once a week. Fx. to run the cronjob every Monday at 3AM:
0 3 * * 1 certbot -q renew