Ivo Petkov

Installing SSL certificate on Apache

July 30, 2015
Now you know how SSL works and how you can get one. It's time to secure our website connection.

The first thing we need to do is ensure the private key, the certificate, and the CA's intermediate certificates are located on the machine where the website is hosted but not in the website root directory. We must keep the private key secure.

Here is how the private key (located at /var/certificates/example.com.key) file should look like:
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANx715AmXSr8RTIQfIgAAECggEANYzLwNPLOlRfwE81BEoeBgkqklW
...
UshV/35RY677Xe739BYnl+hZO5DBGNPeU/grdKdTqyZD/b2DtS5bK
-----END PRIVATE KEY-----
This is how the certificate file (located at /var/certificates/example.com.crt) should look like:
-----BEGIN CERTIFICATE-----
MIIFQjCCBCa9qjIx2VwiQeoLBzE0pahyM4Z9MJLNE5tOuQOIFZhbGlkYXRlZg7EB
...
HLmJnggdhbqMjQjZWipQ
-----END CERTIFICATE-----
And finally this is how the intermediates file (located at /var/certificates/example.com.chain) should look like:
-----BEGIN CERTIFICATE-----
MIIFdDCCBFygAwIB01PRE8gUlNBIENlcngKCAgEAkehUktIKVrGsDKCAgEAkehUk
...
pQ8pTIqXOi6YEbvFScL
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIGCDCCA/CgAw1jSz9AdDTScBkxwtiBhcNMjkwMjExMjM1OTU5WjASIwDQYJKoZ
...
hZ7Q7drNJ3gjIVq4rXmsX
-----END CERTIFICATE-----
As you can see, we've concatenated the intermediate certificates provided by our Certificate Authority.

The next step is to edit the Apache configuration file (httpd.conf). Find or create <VirtualHost> that is configured to accept secure connections on port 443 and add the highlighted lines:
<VirtualHost *:443>
   ServerName example.com
   DocumentRoot "/var/www"

   SSLEngine on
   SSLCertificateFile /var/certificates/example.com.crt
   SSLCertificateKeyFile /var/certificates/example.com.key
   SSLCertificateChainFile /var/certificates/example.com.chain
   SSLProtocol All -SSLv2 -SSLv3
   SSLHonorCipherOrder on
   SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"
</VirtualHost>
Then test the configuration file using the following command
apachectl configtest
and if the file is valid run the following command to apply the new configuration
apachectl graceful
That's it. Now visitors can access your website securely.
Thank you for sharing
Comments