Receiving and Installing Your SSL Certificate

Generally, CAs provide detailed instructions for the installation of their SSL certificates; however, I’ll cover some broad points here.

The CA from which you order a certificate will email you either the certificate, or a link at which you can download it. Follow the instructions provided precisely—especially with regards to opening a certificate in a text editor. Do not use a word processor or rich text editor, as the certificate code can become corrupted. You should also take care to ensure that no leading or trailing spaces follow the beginning and end of the certificate code in Example 3.1, “Sample Emailed Certificate” .

Example 3.1. Sample Emailed Certificate

-----BEGIN CERTIFICATE-----
MIICzjCCAjegAwIBAgIBAjANBgkqhkiG9w0BAQQFADCBrDELMAkGA1UEBhMCVVMx
ETAPBgNVBAgTCFZpcmdpbmlhMRQwEgYDVQQHEwtTcHJpbmdmaWVsZDEYMBYGA1UE
ChMPSlJJIFdvcmxkLCBJbmMuMRAwDgYDVQQLEwdPbnRhcmlvMR0wGwYDVQQDExRv
bnRhcmlvLmpyaXdvcmxkLmNvbTEpMCcGCSqGSIb3DQEJARYaYmlsbGZAb250YXJp
by5qcml3b3JsZC5jb20wHhcNMDUwNDA3MjI0MTU3WhcNMDYwNDA3MjI0MTU3WjCB
rDELMAkGA1UEBhMCVVMxETAPBgNVBAgTCFZpcmdpbmlhMRQwEgYDVQQHEwtTcHJp
bmdmaWxlZDEYMBYGA1UEChMPSlJJIFdvcmxkLCBJbmMuMRAwDgYDVQQLEwdPbnRh
cmlvMR0wGwYDVQQDExRPbnRhcmlvLmpyaXdvcmxkLmNvbTEpMCcGCSqGSIb3DQEJ
ARYaYmlsbGZAb250YXJpby5qcml3b3JsZC5jb20wgZ8wDQYJKoZIhvcNAQEBBQAD
gY0AMIGJAoGBAM81vIgjw0DWAfReVKthdvwe4YP4Z29UU2QZKx/cTt7pJYnW2vnD
pieGoIyiWr5qW+rmtEFRe1yqarZxU0oGyz2w/1ZlOrhU6vBvsa4JOY6DndSixiRq
jVpzspNk9iJUA5AcjKQVC7SCgDHeySLyHm/zzNKOlATRge3HMgge/qzbAgMBAAEw
DQYJKoZIhvcNAQEEBQADgYEAS6MTN6SWlXu24JhNBPjYpwNs/h0HJ+s4uZnQAq49
pPoRm8omMFx4ilEwuihIUnH0Q9rG6hViiThq6pxRj3gkY8UJ5UaKuXr9yLcfNGf5
r6iaPTHeiauHVqXeBfY+ZWTWlIl9FNePo8Sc9eYI8s/KuR+dn97iYmTAHC8kOzlY
gGg=
-----END CERTIFICATE-----
            

The signed certificate returned by the CA should be written to domainname.com.crt in the /etc/ssl/apache directory.

Configuring Apache to enable SSL for the domain(s) you’re securing occurs in the httpd.conf on in modern system it may have been relocated to the modules.d/40_mod_ssl.conf file. To begin, make a backup of the file. Then, open it in your favorite text editor.

You can add the virtual host domain you’re securing into the "IfDefine HAVE_SSL" section noted above. A minimal example entry straight from a default httpd.conf file is listed below for your reference. You should modify items such as paths and IP addresses to fit your own environment. The SSL port is 443 unless you’re specifically adjusting the port to another port number. This is depicted in Example 3.2, “Sample SSL Config” .

Example 3.2. Sample SSL Config


./modules.d/40_mod_ssl.conf contains:

<IfDefine HAVE_SSL>
    <IfModule !mod_ssl.c>
        LoadModule ssl_module   modules/mod_ssl.so
    </IfModule>
</IfDefine>

<IfModule mod_ssl.c>
   Listen 0.0.0.0:443
<IfModule mod_mime.c>

AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl

</IfModule>
   SSLPassPhraseDialog  builtin
   SSLSessionCache         shmcb:/var/cache/httpd/mod_ssl/ssl_scache(512000)
   SSLSessionCacheTimeout  300
   SSLMutex default
   SSLRandomSeed startup /dev/urandom  256
   SSLRandomSeed connect builtin
   SSLCryptoDevice builtin
</IfModule>

./conf/vhosts.d/99_domainname_com_ssl.conf:

<IfModule mod_ssl.c>
   <VirtualHost default:443>
      ServerName www.domainname.com
      ServerAlias domainname.com
      ServerAdmin admin@domainname.com
      ErrorLog logs/ssl_error_domainname_com_log
      
      <IfModule mod_log_config.c>
         TransferLog logs/ssl_access_domainname_com_log
      </IfModule>

      SSLEngine on
      SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
      SSLProtocol all -SSLv2
      SSLCertificateFile /etc/ssl/apache/domainname.com.crt
      SSLCertificateKeyFile /etc/ssl/apache/domainname.com.key

      <FilesMatch “\.(cgi|shtml|phtml|php)$”>
         SSLOptions +StdEnvVars
      </FilesMatch>

      DocumentRoot “/var/www/domainname_com/html”
      
      <Directory “/var/www/domainname_com/html”>
         Options Indexes FollowSymLinks MultiViews
         AllowOverride None
         Order allow,deny
         Allow from all
      </Directory>

      ScriptAlias /cgi-bin/ “/var/www/domainname_com/cgi-bin/”

      <Directory “/var/www/domainname_com/cgi-bin”>
         SSLOptions +StdEnvVars
         AllowOverride None
         Options None
         Order allow,deny
         Allow from all
      </Directory>

      <IfModule mod_setenvif.c>
         BrowserMatch “.*MSIE.*” nokeepalive ssl-unclean-shutdown \
                  downgrade-1.0 force-response-1.0
      </IfModule>
      
      <IfModule mod_log_config.c>
         CustomLog logs/ssl_request_log \
             “%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \”%r\” %b”
      </IfModule>

      <IfModule mod_rewrite.c>
         RewriteEngine On
         RewriteOptions inherit
      </IfModule>

   </VirtualHost>

</IfModule>


            

[Important]Restart

To have these changes take effect, Restart Apache!

Now, you must restart Apache to ensure that all your modifications are enabled. In Redhat based systems type the following:

# service httpd restart
        

In other system you could use the Apache control command by typing the following:

# /usr/sbin/apachectl -k restart