You will need a keypair obtained from a trusted certificate authority like Let's Encrypt or your own Self-Signed Certificate. You should have the following files.
- Private Key: yourdomain.com.key
- Public Certificate: yourdomain.com.[crt or pem]
- Intermediate Certificate (optional): YourAuthorityCA.crt
Depending on where you obtain your certificate the Intermediate may or may not be required. Usually when you purchase a certificate the signing authority will provide this. For example, Let's Encrypt provides their intermediate certificates here.
Apache Mod SSLYou may already have this installed but you can run the following command to check.
$ sudo httpd -M | grep ssl
If the above command returns no output you can install the module with yum.
$ sudo yum install -y mod_ssl
The default ssl configuration can be found at:
However, I recommend disabling this configuration file and using a simpler configuration. You can disable the default ssl.conf just by renaming it.
$ sudo mv /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/ssl.disabled
You can figure out where you virtual host files are configured by running the following.
$ httpd -S
*:80 is a NameVirtualHost
*:443 is a NameVirtualHost
default server linuxbucket.com (/etc/httpd/conf.d/linuxbucket.conf:2)
port 80 namevhost linuxbucket.com (/etc/httpd/conf.d/linuxbucket.conf:2)
port 443 namevhost linuxbucket.com (/etc/httpd/conf.d/linuxbucket.conf:12)
The following is an example of a vhost configuration that has both HTTP and HTTPS configurations. The bold sections need to be customized to match your domain.
$ cat /etc/httpd/conf.d/linuxbucket.conf
Listen 443 https
# SSLCertificateChainFile /etc/ssl/linuxbucket/intermediate.crt
SSLProtocol -ALL +TLSv1.2
The important configuration to include from the above example would be the
<VirtualHost *:443>section. This also assumes you've placed the .crt and .key files in the location specified in the configuration. You can change the file locations to whatever you want but in general you'll want to place them somewhere under
SSLCertificateChainFileparameter is commented out above but if the provider of your SSL certificate provided you with an intermediate certificate, this is where it is configured. You can check to make sure the chain looks good using SSL Shopper's tool.
Apache documentation has some good information on
SSLCipherSuiteconfigurations. If security is a priority you may want to force strong encryption for all traffic. Otherwise reference the Apache documentation for some examples of conditional ChiperSuite configurations. There are articles that can be found on google that can help with better understanding the options here.
SSL Labs also has a great tool that can help you see how your security posture stacks up.
Restart ApacheAfter all the configurations are in place you can run a syntax check.
$ httpd -tAnd then restart Apache if the test is successful.
$ sudo service httpd restart
$ sudo systemctl restart httpd.service