Ivo Petkov

Installing SSL certificate on Apache

July 30, 2015
Installing SSL certificate on Apache | Ivo Petkov
Now you know how SSL works and how you can get one. It's time to secure our website connection.

The first thing we need to do is ensure the private key, the certificate, and the CA's intermediate certificates are located on the machine where the website is hosted but not in the website root directory. We must keep the private key secure.

Here is how the private key (located at /var/certificates/example.com.key) file should look like:
-----BEGIN PRIVATE KEY----- MIIEvgIBADANx715AmXSr8RTIQfIgAAECggEANYzLwNPLOlRfwE81BEoeBgkqklW ... UshV/35RY677Xe739BYnl+hZO5DBGNPeU/grdKdTqyZD/b2DtS5bK -----END PRIVATE KEY-----
This is how the certificate file (located at /var/certificates/example.com.crt) should look like:
-----BEGIN CERTIFICATE----- MIIFQjCCBCa9qjIx2VwiQeoLBzE0pahyM4Z9MJLNE5tOuQOIFZhbGlkYXRlZg7EB ... HLmJnggdhbqMjQjZWipQ -----END CERTIFICATE-----
And finally this is how the intermediates file (located at /var/certificates/example.com.chain) should look like:
-----BEGIN CERTIFICATE----- MIIFdDCCBFygAwIB01PRE8gUlNBIENlcngKCAgEAkehUktIKVrGsDKCAgEAkehUk ... pQ8pTIqXOi6YEbvFScL -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIGCDCCA/CgAw1jSz9AdDTScBkxwtiBhcNMjkwMjExMjM1OTU5WjASIwDQYJKoZ ... hZ7Q7drNJ3gjIVq4rXmsX -----END CERTIFICATE-----
As you can see, we've concatenated the intermediate certificates provided by our Certificate Authority.

The next step is to edit the Apache configuration file (httpd.conf). Find or create <VirtualHost> that is configured to accept secure connections on port 443 and add the highlighted lines:
<VirtualHost *:443> ServerName example.com DocumentRoot "/var/www" SSLEngine on SSLCertificateFile /var/certificates/example.com.crt SSLCertificateKeyFile /var/certificates/example.com.key SSLCertificateChainFile /var/certificates/example.com.chain SSLProtocol All -SSLv2 -SSLv3 SSLHonorCipherOrder on SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS" </VirtualHost>
Then test the configuration file using the following command
apachectl configtest
and if the file is valid run the following command to apply the new configuration
apachectl graceful
That's it. Now visitors can access your website securely.

Comments

Send

Continue reading

Responsively Lazy v3 is even better for lazy loading images
How I improved the performance of my big PHP web project
Reading locked files in PHP
Advanced PHP: 7 useful techniques that are rarely used
Install PHP and Apache from source
Powered by Bear CMS