- Private Key: yourdomain.com.key
- Public Certificate: yourdomain.com.[crt or pem]
- Intermediate Certificate (optional): YourAuthorityCA.crt
Depending on where you obtain your certificate the Intermediate may or may not be required. Usually when you purchase a certificate the signing authority will provide this. For example, Let’s Encrypt provides their intermediate certificates here.
Apache Mod SSL
You may already have this installed but you can run the following command to check.
$ sudo httpd -M | grep ssl ssl_module (shared)
If the above command returns no output you can install the module with yum.
$ sudo yum install -y mod_ssl
The default ssl configuration can be found at:
However, I recommend disabling this configuration file and using a simpler configuration. You can disable the default ssl.conf just by renaming it.
$ sudo mv /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/ssl.disabled
You can figure out where you virtual host files are configured by running the following.
$ httpd -S VirtualHost configuration: *:80 is a NameVirtualHost *:443 is a NameVirtualHost default server linuxbucket.com (/etc/httpd/conf.d/linuxbucket.conf:2) port 80 namevhost linuxbucket.com (/etc/httpd/conf.d/linuxbucket.conf:2) alias www.linuxbucket.com port 443 namevhost linuxbucket.com (/etc/httpd/conf.d/linuxbucket.conf:12) alias www.linuxbucket.com
The following is an example of a vhost configuration that has both HTTP and HTTPS configurations. The bold sections need to be customized to match your domain.
$ cat /etc/httpd/conf.d/linuxbucket.conf <VirtualHost *:80> ServerName linuxbucket.com ServerAlias www.linuxbucket.com DocumentRoot /var/www/linuxbucket.com/httpsdocs <Directory /var/www/linuxbucket.com/html> AllowOverride All </Directory> </VirtualHost> Listen 443 https <VirtualHost *:443> ServerName linuxbucket.com ServerAlias www.linuxbucket.com DocumentRoot /var/www/linuxbucket.com/html SSLEngine on SSLCertificateFile /etc/ssl/linuxbucket/public.crt SSLCertificateKeyFile /etc/ssl/linuxbucket/private.key # SSLCertificateChainFile /etc/ssl/linuxbucket/intermediate.crt SSLCipherSuite HIGH:!aNULL:!MD5 SSLProtocol -ALL +TLSv1.2 <Directory /var/www/linuxbucket.com/html> AllowOverride All </Directory> </VirtualHost>
The important configuration to include from the above example would be the
<VirtualHost *:443> section. This also assumes you’ve placed the .crt and .key files in the location specified in the configuration. You can change the file locations to whatever you want but in general you’ll want to place them somewhere under
SSLCertificateChainFile parameter is commented out above but if the provider of your SSL certificate provided you with an intermediate certificate, this is where it is configured. You can check to make sure the chain looks good using SSL Shopper’s tool.
Apache documentation has some good information on
SSLCipherSuite configurations. If security is a priority you may want to force strong encryption for all traffic. Otherwise reference the Apache documentation for some examples of conditional ChiperSuite configurations. There are articles that can be found on google that can help with better understanding the options here.
SSL Labs also has a great tool that can help you see how your security posture stacks up.
After all the configurations are in pace you can run a syntax check.
$ httpd -t Syntax OK
And then restart Apache if the test is successful.
#RHEL 6 $ sudo service httpd restart #RHEL 7 $ sudo systemctl restart httpd.service