How-to Tutorials

Configure SSL Certificate for Apache on CentOS/RHEL 6/7

Configuration Prerequisites

Keypair

You will need a keypair obtained from a trusted certificate authority like Let’s Encrypt or your own Self-Signed Certificate. You should have the following files.

  • Private Key: yourdomain.com.key
  • Public Certificate: yourdomain.com.[crt or pem]
  • Intermediate Certificate (optional): YourAuthorityCA.crt

Depending on where you obtain your certificate the Intermediate may or may not be required. Usually when you purchase a certificate the signing authority will provide this. For example, Let’s Encrypt provides their intermediate certificates here.

Apache Mod SSL

You may already have this installed but you can run the following command to check.

$ sudo httpd -M | grep ssl
 ssl_module (shared)

If the above command returns no output you can install the module with yum.

$ sudo yum install -y mod_ssl

Apache Configuration

The default ssl configuration can be found at:

/etc/httpd/conf.d/ssl.conf

However, I recommend disabling this configuration file and using a simpler configuration. You can disable the default ssl.conf just by renaming it.

$ sudo mv /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/ssl.disabled

You can figure out where you virtual host files are configured by running the following.

$ httpd -S
VirtualHost configuration:
*:80                 is a NameVirtualHost
*:443               is a NameVirtualHost
         default server linuxbucket.com (/etc/httpd/conf.d/linuxbucket.conf:2)
         port 80 namevhost linuxbucket.com (/etc/httpd/conf.d/linuxbucket.conf:2)
                 alias www.linuxbucket.com
         port 443 namevhost linuxbucket.com (/etc/httpd/conf.d/linuxbucket.conf:12)
                 alias www.linuxbucket.com

The following is an example of a vhost configuration that has both HTTP and HTTPS configurations. The bold sections need to be customized to match your domain.

$ cat /etc/httpd/conf.d/linuxbucket.conf
<VirtualHost *:80> 
  ServerName linuxbucket.com
  ServerAlias www.linuxbucket.com
  DocumentRoot /var/www/linuxbucket.com/httpsdocs 

<Directory /var/www/linuxbucket.com/html> 
  AllowOverride All
</Directory> 
</VirtualHost> 

Listen 443 https 

<VirtualHost *:443> 
  ServerName linuxbucket.com
  ServerAlias www.linuxbucket.com
  DocumentRoot /var/www/linuxbucket.com/html 

  SSLEngine on 
  SSLCertificateFile /etc/ssl/linuxbucket/public.crt 
  SSLCertificateKeyFile /etc/ssl/linuxbucket/private.key 
  # SSLCertificateChainFile /etc/ssl/linuxbucket/intermediate.crt
  SSLCipherSuite HIGH:!aNULL:!MD5
  SSLProtocol -ALL +TLSv1.2

<Directory /var/www/linuxbucket.com/html> 
  AllowOverride All 
</Directory> 
</VirtualHost>

The important configuration to include from the above example would be the <VirtualHost *:443> section. This also assumes you’ve placed the .crt and .key files in the location specified in the configuration. You can change the file locations to whatever you want but in general you’ll want to place them somewhere under /etc/pki or/etc/ssl.

The SSLCertificateChainFile parameter is commented out above but if the provider of your SSL certificate provided you with an intermediate certificate, this is where it is configured. You can check to make sure the chain looks good using SSL Shopper’s tool.

Apache documentation has some good information on SSLCipherSuite configurations. If security is a priority you may want to force strong encryption for all traffic. Otherwise reference the Apache documentation for some examples of conditional ChiperSuite configurations. There are articles that can be found on google that can help with better understanding the options here.

SSL Labs also has a great tool that can help you see how your security posture stacks up.

Restart Apache

After all the configurations are in pace you can run a syntax check.

$ httpd -t
Syntax OK

And then restart Apache if the test is successful.

#RHEL 6
$ sudo service httpd restart

#RHEL 7
$ sudo systemctl restart httpd.service

Next Post

Leave a Reply

© 2020 linux bucket

All rights reserved