Generally, CAs provide detailed instructions for the installation of their SSL certificates; however, I’ll cover some broad points here.
The CA from which you order a certificate will email you either the certificate, or a link at which you can download it. Follow the instructions provided precisely—especially with regards to opening a certificate in a text editor. Do not use a word processor or rich text editor, as the certificate code can become corrupted. You should also take care to ensure that no leading or trailing spaces follow the beginning and end of the certificate code in Example 3.1, “Sample Emailed Certificate” .
Example 3.1. Sample Emailed Certificate
-----BEGIN CERTIFICATE----- MIICzjCCAjegAwIBAgIBAjANBgkqhkiG9w0BAQQFADCBrDELMAkGA1UEBhMCVVMx ETAPBgNVBAgTCFZpcmdpbmlhMRQwEgYDVQQHEwtTcHJpbmdmaWVsZDEYMBYGA1UE ChMPSlJJIFdvcmxkLCBJbmMuMRAwDgYDVQQLEwdPbnRhcmlvMR0wGwYDVQQDExRv bnRhcmlvLmpyaXdvcmxkLmNvbTEpMCcGCSqGSIb3DQEJARYaYmlsbGZAb250YXJp by5qcml3b3JsZC5jb20wHhcNMDUwNDA3MjI0MTU3WhcNMDYwNDA3MjI0MTU3WjCB rDELMAkGA1UEBhMCVVMxETAPBgNVBAgTCFZpcmdpbmlhMRQwEgYDVQQHEwtTcHJp bmdmaWxlZDEYMBYGA1UEChMPSlJJIFdvcmxkLCBJbmMuMRAwDgYDVQQLEwdPbnRh cmlvMR0wGwYDVQQDExRPbnRhcmlvLmpyaXdvcmxkLmNvbTEpMCcGCSqGSIb3DQEJ ARYaYmlsbGZAb250YXJpby5qcml3b3JsZC5jb20wgZ8wDQYJKoZIhvcNAQEBBQAD gY0AMIGJAoGBAM81vIgjw0DWAfReVKthdvwe4YP4Z29UU2QZKx/cTt7pJYnW2vnD pieGoIyiWr5qW+rmtEFRe1yqarZxU0oGyz2w/1ZlOrhU6vBvsa4JOY6DndSixiRq jVpzspNk9iJUA5AcjKQVC7SCgDHeySLyHm/zzNKOlATRge3HMgge/qzbAgMBAAEw DQYJKoZIhvcNAQEEBQADgYEAS6MTN6SWlXu24JhNBPjYpwNs/h0HJ+s4uZnQAq49 pPoRm8omMFx4ilEwuihIUnH0Q9rG6hViiThq6pxRj3gkY8UJ5UaKuXr9yLcfNGf5 r6iaPTHeiauHVqXeBfY+ZWTWlIl9FNePo8Sc9eYI8s/KuR+dn97iYmTAHC8kOzlY gGg= -----END CERTIFICATE-----
The signed certificate returned by the CA should be written to domainname.com.crt in the /etc/ssl/apache directory.
Configuring Apache to enable SSL for the domain(s) you’re securing occurs in the httpd.conf on in modern system it may have been relocated to the modules.d/40_mod_ssl.conf file. To begin, make a backup of the file. Then, open it in your favorite text editor.
You can add the virtual host domain you’re securing into the "IfDefine HAVE_SSL" section noted above. A minimal example entry straight from a default httpd.conf file is listed below for your reference. You should modify items such as paths and IP addresses to fit your own environment. The SSL port is 443 unless you’re specifically adjusting the port to another port number. This is depicted in Example 3.2, “Sample SSL Config” .
Example 3.2. Sample SSL Config
./modules.d/40_mod_ssl.conf contains: <IfDefine HAVE_SSL> <IfModule !mod_ssl.c> LoadModule ssl_module modules/mod_ssl.so </IfModule> </IfDefine> <IfModule mod_ssl.c> Listen 0.0.0.0:443 <IfModule mod_mime.c> AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl </IfModule> SSLPassPhraseDialog builtin SSLSessionCache shmcb:/var/cache/httpd/mod_ssl/ssl_scache(512000) SSLSessionCacheTimeout 300 SSLMutex default SSLRandomSeed startup /dev/urandom 256 SSLRandomSeed connect builtin SSLCryptoDevice builtin </IfModule> ./conf/vhosts.d/99_domainname_com_ssl.conf: <IfModule mod_ssl.c> <VirtualHost default:443> ServerName www.domainname.com ServerAlias domainname.com ServerAdmin admin@domainname.com ErrorLog logs/ssl_error_domainname_com_log <IfModule mod_log_config.c> TransferLog logs/ssl_access_domainname_com_log </IfModule> SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW SSLProtocol all -SSLv2 SSLCertificateFile /etc/ssl/apache/domainname.com.crt SSLCertificateKeyFile /etc/ssl/apache/domainname.com.key <FilesMatch “\.(cgi|shtml|phtml|php)$”> SSLOptions +StdEnvVars </FilesMatch> DocumentRoot “/var/www/domainname_com/html” <Directory “/var/www/domainname_com/html”> Options Indexes FollowSymLinks MultiViews AllowOverride None Order allow,deny Allow from all </Directory> ScriptAlias /cgi-bin/ “/var/www/domainname_com/cgi-bin/” <Directory “/var/www/domainname_com/cgi-bin”> SSLOptions +StdEnvVars AllowOverride None Options None Order allow,deny Allow from all </Directory> <IfModule mod_setenvif.c> BrowserMatch “.*MSIE.*” nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 </IfModule> <IfModule mod_log_config.c> CustomLog logs/ssl_request_log \ “%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \”%r\” %b” </IfModule> <IfModule mod_rewrite.c> RewriteEngine On RewriteOptions inherit </IfModule> </VirtualHost> </IfModule>
![]() | Restart |
---|---|
To have these changes take effect, Restart Apache! |
Now, you must restart Apache to ensure that all your modifications are enabled. In Redhat based systems type the following:
# service httpd restart
In other system you could use the Apache control command by typing the following:
# /usr/sbin/apachectl -k restart