This document describes the steps to enable SSL Certificate on Apache Webserver to encrypt a site’s information and create a more secure connection. Additionally, the certificate can show the virtual private server’s identification information to site visitors. Certificate Authorities can issue SSL certificates that verify the virtual server’s details while a self-signed certificate has no 3rd party corroboration.
Install Mod SSL
First to be sure that Apache Mod SSL are installed:
Install SSL module |
|
Load SSL module in Apache |
|
Copy your SSL certificate to your server
First copy your Certificate files to your server, for example to the following locations:
create a new directory where the server key and certificate will be stored | mkdir /etc/httpd/ssl |
Certificate | /etc/httpd/ssl/exampledomain.com.crt |
Certificate Key | /etc/httpd/ssl/exampledomain.com.key |
CA Certificate | /etc/httpd/ssl/bundle.crt |
Creating the self-signed SSL certificate
Run the cmmand below:
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/httpd/ssl/apache.key -out /etc/httpd/ssl/apache.crt
This command will prompt terminal to display a lists of fields that need to be filled in. The most important line is “Common Name”. Enter your official domain name here.
Remove default Apache virtual host
By default mod_ssl sets up a virtual host that we don’t need.
Edit /etc/httpd/conf.d/ssl.conf and remove the virtual host definition from
“<VirtualHost _default_:443>” to “</VirtualHost>”.
Enable SSL
Setup your virtual hosts to display the new certificate. Add the directives from the template below to your SSL configuration (for example /etc/httpd/conf.d/vhosts.conf), to enable SSL on your site:
Here’s a template for the virtual host definition:
<VirtualHost *:443>
DocumentRoot /var/www/vhosts/ exampledomain.com /httpdocs
ServerName exampledomain.com
ServerAlias www. exampledomain.com
ErrorLog logs/ exampledomain.com -ssl-error_log
CustomLog logs/ exampledomain.com -ssl-access_log common
<Directory /var/www/vhosts/exampledomain.com /httpdocs>
AllowOverride All
</Directory>
SSLEngine on
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXPORT
SSLCertificateFile /etc/pki/tls/certs/ exampledomain.com.crt
SSLCertificateKeyFile /etc/pki/tls/private/ exampledomain.com.key
SSLCACertificateFile /etc/pki/tls/certs/gd_bundle.crt
<Location/>
SSLRequireSSL
</Location>
</VirtualHost>
The SSLEngine On directive turns SSL on.
Restart Apache to reload your changes.
Troubleshooting
- If you get a message like this on httpd restart “[warn] _default_ VirtualHost overlap on port 443, the first has precedence” then you’ve not removed the default virtual host created by mod_ssl.
- You may need to adjust the iptables configuration to allow traffic to TCP port 443.