Configuring Apache to use SSL: Difference between revisions

Transport Layer Security (TLS) and formerly Secure Sockets Layer (SSL) are both often referred to as SSL and allow encrypted communications over computer networks. It is important to use encryption when sending any sensitive  information, such as passwords, over the internet. However, even if not sending sensitive information encrypting the data sent from the web server to the client will prevent third parties from intercepting the data and modifying it before it continues on to the client. In almost all situations it is a good idea to use SSL certificates to encrypt data transmitted to and from a web server over the Internet.

There are two main ways to create a certificate, a certificate signed by a third party signing authority and a self-signed certificate. In most cases you will want a certificate signed by a third party, especially now since it is very easy to do using let's encrypt, as described below. However, there maybe some cases, such as testing, where you may still want to create a self-signed certificate instead. With this method, data sent to and from your web-server will be encrypted, however, there is no third party involved vouching for the validity of your web server. For this reason, visitors to your site will still get a warning about the security of your site. If you have a public facing site you probably do not want to use a self-signed certificate.

Once you have your certificate and web server configured, it is a good idea to check the security settings using ssllabs' [https://www.ssllabs.com/ssltest/ ssltest tool] which can suggest changes to your configuration to improvement security.