Getting an A+ on the Qualys SSL for free

Following step are tested with Ubuntu 14.04.2 LTS with apache 2.4.7, but it should be same in other distro.

1. Getting free certificate

Go to, register and get a free cert easy with simple steps. Please note that you should requests SHA256 for certificate.  After download key and cert from startssl, you should download immediate cert from and use as chain key.

2. Enable SSL configuration as follow

Let’s open ssh and login to your server, please make sure that your server has apache, openssl with security patch up to date and enable ssl configuration at port 443.

# Disable support for SSLv2 and SSLv3 and allow only TLS
SSLProtocol             all -SSLv2 -SSLv3

# Enable cipher suite below.

# Explicitly allow/disallow specific ciphers in the given order
SSLHonorCipherOrder     on

3. Deploying Diffie-Hellman for TLS

Install new dhparam (2048+), it requires ~ 10 minutes to generate new dhparam file. After complete, open dhparames.pem, copy the content and paste to the end of your certificate file.

$ openssl dhparam -out dhparams.pem 2048

Please note that if your apache is 2.4.8 or newer, you can specify your DHparams file in ssl.conf as follows:

SSLOpenSSLConfCmd DHParameters "{path to dhparams.pem}"

4. Enable SSL and config your virtual host as follows:

<VirtualHost *:443>
# Your setting here
# ....

#   Enable/Disable SSL for this virtual host.
SSLEngine on

# Add path to Cert / Key / Chain File
# RSA 2048 bits SSL certificate
# signature algorithm SHA256withRSA
SSLCertificateFile /home/ubuntu/certest/yourcertificate.crt
SSLCertificateKeyFile /home/ubuntu/certest/yourkey.key
SSLCertificateChainFile /home/ubuntu/certest/

# Strict transport security with long duration
# Guarantee HTTPS for 6 months including sub domains
Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains"


5. Restart Apache2 to apply your changes

$ sudo service apache2 restart

6. Time for testing

Check certificate result from:

Getting result on