How To Set Up SSL For Your Magento Webshop If You Don’t Have a Developer Yet

After launching a shop and receiving first orders, you might start thinking about making it more secure. One of the key challenges of store owners is to protect their customer data. And the best way to do so is to encode sensible data when it’s sent to the server so nobody intercepts them. If you want to defend your customer data from hackers, SSL is a definitely a must (SSL = HTTPS instead of HTTP). In this post I’ll show you 2 things:

1. The way to install a certificate on an Apache server;
2. What settings are needed to do in the back office of your Magento site so the SSL certificate is applied to all pages of your web shop.

Installing SSL certificate on Apache server
First off, it is necessary to use an SSL certificate. Just forget about auto-signed certificates and all free stuff about SSL. The trusted working SSL certificates are NOT free. It’s very likely that your hosting provider or domain registrar offers SSL certificates at a good price and often provide a free installation as well. Before making any changes about SSL, contact your developer and your hoster. Although if you don’t have a developer and your hosting provider doesn’t provide SSL and free installation service, read on.

Installing OpenSSL
The first pre-requisite is to have OpenSSL on your server. For installing it, download the latest version from here (it’s OpenSSL official website, not something we promote). Send the archive to your server and do the next command:

Then install it using the following commands:

Or just ask your hosting provider. It’s something they can usually install it for free.

Installing Apache mod_ssl
If you are on Apache server, mod_ssl should be installed. If it’s already installed, just go directly to next step. Otherwise, download it from this official website. Find the version which is compatible with your Apache version. Send the archive to your server and decompress it with the following command:

Then install mod_ssl using the following commands:

and your server is ready!

Generating Certificate Signing Request (CSR)
Before purchasing a certificate, a request for a signed certificate should be generated. After OpenSSL and mod_ssl are installed on Apache, navigate to the installation directory to the following file: conf/ssl.key. In our example, Apache was in  /usr/local/apache.

cd /usr/local/apache/conf/ssl.key

Generate RSA key with the following command (just enter your domain name instead of mydomainname):

The server will ask for a passphrase. Try not to lose it and save it somewhere so you can find it in the future. And finally generate the CSR (and assure you write the actual domain name instead of mydomainname):

Partner With Us Let's discuss how to grow your business. Get a Free Quote.

Talk to Vlad

The passphrase you previously entered for RSA key should be entered now. You need to enter the necessary data about your server:

• Country: your country code (DK for Denmark)
• State or province:
• City or locality: your city / town / village name
• Organization name: your company name
• Organizational unit name: Ecommerce or Finance department, for example
• Common name: your domain name, mydomainname.com

Leave the rest of fields empty (email, challenge password, optional company name etc.). You can check whether your CSR was generated correctly by running the command:

Open your CSR with a text editor. Now you need to enter all text including BEGIN and END for having possibility to use SSL certificate.

Installing the certificate
After a series of checks (email owner receives a verification email from the provider of SSL certificate and eventually a couple of other checks) you’ll get the SSL certificate. So after you receive it, register it with the name:

Please make sure that you used lines from BEGIN to END with 5 dashes from very sid and without spaces. You also need to do the same about the indermediary certificate, just name it intermediate.crt and use all lines from begin to end. Send 2 files to your server. Now open the httpd.conf file located here: nano/usr/local/apache/conf/httpd.conf

Open Virtual Host and create a new one to fill in the information in regards to your SSL certificate by duplicating an existing one (that should be located in port 80). It should look in the following way:

Don’t forget to change the port to 443 (which is default port for SSL). If the SSLCertificateChainFile instruction doesn’t help, try SSLCACertificateFile. Restart Apache to complete the operation:

Configuring SSL in Magento
You can already check that your website is accessible by https urls instead of http urls. If you have configured correctly and there are no troubles regarding the certificate, it should display any additional notices and your browser should display a small green logo. For example:

If it’s not displayed this way, just give up and ask a developer or hoster to perform this task. If it is displayed correctly, read on.

Navigate to your Magento admin panel and open:

System => Configuration => General => Web => Secure

and make sure your base URL is starting with https:/ and not http:/ then activae the option to use secure URLs (for my account and placing orders). Finally you can refresh cache and see that all your website pages are secured. Although often you have some content that uses static URLs and when you entered those when your website under http, assure you alter them all to https.