Frequently Asked Questions

Install SSL certificate on Apache server

Updated Time:2022-03-09  Views:28490

The SSL certificate service of this site supports downloading and installing the certificate to the Apache server, so that the Apache server supports HTTPS secure access. This article describes the specific operation of certificate installation.

Precautions:
The certificate issuance and download have been completed in the SSL certificate console. For details, see Downloading a Certificate to Local.
Port 443 (the default port for HTTPS service) has been opened on your Apache server.
The mod_ssl.so module is installed on your Apache server (with SSL functionality enabled).
Steps:
Note The certificate name in this document takes domain name as an example. For example, the certificate file name is domain name_public.crt, the certificate chain file name is domain name_chain.crt, and the certificate key file name is domain name.key.
Unzip the Apache certificate file that has been downloaded and saved to the local.
1. There are 3 files in the unzipped folder:
Certificate file: The suffix or file type is .crt.
Certificate chain file: The suffix or file type is .crt.
Key file: The suffix or file type is .key.

illustrate:
When applying for a certificate, if the CSR generation method is to manually fill in or select an existing CSR, and system generation is not selected, the .key file (key file) will not be included in the certificate download compressed package.
The certificate file with the .crt extension is a Base64-encoded PEM format text file, which can be modified to .pem and other extensions as needed. For the specific operation of certificate format conversion, see How to Convert Certificate Format? .
2. Create a new cert directory in the Apache installation directory, and copy the decompressed Apache certificate, certificate chain file, and key file to the cert directory.
If you need to install multiple certificates, you need to create a corresponding number of cert directories in the Apache installation directory to store different certificates.
illustrate:
'If the CSR generation method is selected manually when applying for a certificate, please copy the manually generated key file to the cert directory and name it domain name.key.
3. Modify the httpd.conf configuration file.
* Open the httpd.conf file in the Apache installation directory Apache/conf/.
illustrate:
Apache/conf/ is the default installation directory of Apache. If this path has been modified, you need to find the httpd.conf file in the modified path.
* Find the following parameters in the httpd.conf file and configure them according to the comments below:
#LoadModule ssl_module modules/mod_ssl.so #Delete the configuration statement comment symbol "#" at the beginning of the line to load the mod_ssl.so module to enable the SSL service. Apache does not enable this module by default. #Include conf/extra/httpd-ssl.conf #Delete the configuration statement comment symbol "#" at the beginning of the line.
illustrate:
If you do not find the above configuration statement in the httpd.conf file, please confirm whether the mod_ssl.so module has been installed in your Apache server. Run the yum install -y mod_ssl command to install the mod_ssl module.
* Save the httpd.conf file and exit.
4. Modify the httpd-ssl.conf configuration file.
* In the Apache/conf/extra/ directory, open the httpd-ssl.conf file.
illustrate:
Depending on the operating system, the http-ssl.conf file may also be stored in the conf.d/ssl.conf/ directory.
* Find the following parameters in the httpd-ssl.conf file and configure them according to the comments below.
<VirtualHost *:443> ServerName #Modify to the domain name www.YourDomainName1.com bound when applying for the certificate. DocumentRoot /data/www/hbappserver/public SSLEngine on SSLProtocol all -SSLv2 -SSLv3 # Add SSL protocol support protocols and remove insecure protocols. SSLCipherSuite HIGH:!RC4:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!EXP: MEDIUM # Modify the cipher suite. SSLHonorCipherOrder on SSLCertificateFile cert/domain name1_public.crt # Replace domain name1_public.crt with your certificate file name. SSLCertificateKeyFile cert/domain name1.key # Replace domain name1.key with the key file name of your certificate. SSLCertificateChainFile cert/domain name1_chain.crt # Replace domain name1_chain.crt with the key file name of your certificate; if there is a # character at the beginning of the certificate chain, please delete it. </VirtualHost> #If the certificate contains multiple domain names, copy the above parameters and replace ServerName with the second domain name. <VirtualHost *:443> ServerName #Modify to the second domain name www.YourDomainName2.com bound when applying for a certificate. DocumentRoot /data/www/hbappserver/public SSLEngine on SSLProtocol all -SSLv2 -SSLv3 # Add SSL protocol support protocols and remove insecure protocols. SSLCipherSuite HIGH:!RC4:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!EXP: MEDIUM # Modify the cipher suite. SSLHonorCipherOrder on SSLCertificateFile cert/domain name2_public.crt # Replace domain name2 with the second domain name when you apply for the certificate. SSLCertificateKeyFile cert/domain name2.key # Replace domain name2 with the second domain name when you apply for the certificate. SSLCertificateChainFile cert/domain name2_chain.crt # Replace domain name2 with the second domain name when you applied for the certificate; if there is a # character at the beginning of the certificate chain, please delete it. </VirtualHost>
Notice:
Please pay attention to whether your browser version supports the SNI function. If it is not supported, the multi-domain certificate configuration will not take effect.
* Save the httpd-ssl.conf file and exit.
5. Optional: Modify the httpd.conf file to set HTTP requests to automatically jump to HTTPS.
Add the following redirection code in the middle of <VirtualHost *:80> </VirtualHost> in the httpd.conf file.
RewriteEngine on
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^(.*)$ https://%{SERVER_NAME}$1 [L,R]
6. Restart the Apache server for the SSL configuration to take effect.
Perform the following steps in the Apache bin directory:
* Execute apachectl -k stop to stop the Apache service.
* Execute apachectl -k start to start the Apache service.
Follow-up:
After the certificate is installed, you can verify whether the certificate is successfully installed by accessing the domain name bound to the certificate.
https://yourdomain #You need to replace yourdomain with the domain name bound to the certificate.
7. If a small lock appears in the address bar of the web page, it means that the certificate has been installed successfully.
After the certificate is installed, if the website cannot be accessed normally through HTTPS, you need to confirm whether port 443 of the server where you installed the certificate has been opened or blocked by other tools. If you are using an Alibaba Cloud ECS server, go to the ECS console security group page to configure port 443 to be released.