Installing a Certificate on Apache Servers

Last updated: 2020-02-25 16:31:16

PDF

Scenario

This document describes how to install an SSL certificate on an Apache server.

  • This document uses the domain name www.domain.com as an example.
  • APache version to Apache/2.4.6 As an example. The default port is 80 .
  • The current server OS is CentOS 7. The detailed steps vary slightly by OS version.

Prerequisites

  • A remote file copy tool such as WinSCP has been installed (you are recommended to get the latest version from its official website).
  • A remote login tool such as PuTTY or Xshell has been installed (you are recommended to get the latest version from their official websites).
  • The Apache server has been installed and configured on the current server.
  • The data required to install the SSL certificate includes:
    Name Description
    Server IP address IP address of the server, which is used to connect the PC to the server.
    Username The username used to log in to the server.
    Password The password used to log in to the server.

For a CVM instance purchased on the Tencent Cloud official website, you can log in to the CVM Console to get the server IP address, username, and password.

Directions

Certificate Installation

  1. Download the certificate package for the domain name www.domain.com From the SSL Certificates Service Console And decompress it to a local directory.
    After decompression, you can get the certificate files in the relevant types, including Nginx folders and CSR files:

    • Folder name : Apache

    • Folder content :

      • 1_root_bundle.crt Certificate file
      • 2_www.domain.com.crt Certificate file
      • 3_www.domain.com.key Private key file
    • CSR file content : www.domain.com.csr File

      The CSR file is uploaded by you or generated online by the system when you apply for the certificate and is provided to the CA. It is irrelevant to the installation.

  2. Log into the Apache server using WinSCP (a tool copying files between a local computer and a remote computer).

  3. Copy the obtained certificate files 1_root_bundle.crt And 2_www.domain.com.crt And the private key file 3_www.domain.com.key From the local directory to the /etc/httpd/ssl Directory of the Apache server.

If the /etc/httpd/ssl Directory does not exist, run mkdir /etc/httpd/ssl In the command line to create it.

  1. Remotely log in to the Apache server. For example, use the "PuTTY" tool Login.

The Apache server installed for the first time, conf.dconfconf.modules.d Wait for Directory to default in /etc/httpd Directory.

  1. In /etc/httpd/conf Find the httpd.conf configuration file under Directory Include conf.modules.d/*.conf (the configuration Directory used to load the configuration SSL) configure the statement and verify that the configuration statement is not commented. If it has been commented, remove the comment symbol from the first line ( # ) to save the configuration file
  2. In /etc/httpd/conf.modules.d Find the 00-ssl.conf configuration file under Directory LoadModule ssl_module modules/mod_ssl.so (used to load the SSL module) configuration statement, and verify that the configuration statement is not commented, if so, remove the comment symbol from the first line ( # ) to save the configuration file

    Due to the different version of the operating system, the structure of Directory is also different, please find it according to the actual version of the operating system.
    If they cannot be found in the files above, check whether the mod_ssl.so module has been installed. If no, run the yum install mod_ssl Command to install it.

  3. Edit the ssl.conf configuration file in the /etc/httpd/conf.d Directory by modifying the following:
< VirtualHost 0.0.0.0 443 > 
 DocumentRoot "/ var/www/html" 
 # name of Enter Certificate 
 ServerName www.domain.com 
 # Enable SSL 
 SSLEngine on 
 # path to the certificate file 
 SSLCertificateFile / etc/httpd/ssl/2_www.domain.com_cert.crt 
 # path to the private key file 
 SSLCertificateKeyFile / etc/httpd/ssl/3_www.domain.com.key 
 # path of certificate chain file 
 SSLCertificateChainFile / etc/httpd/ssl/1_root_bundle.crt 
</VirtualHost>
  1. Restart the Apache server and it can be accessed using https://www.domain.com.

Security Configuration for Automatic Redirect from HTTP to HTTPS (Optional)

If you don't know how to access a website over HTTPS, you can configure the server to make it automatically redirect HTTP requests to HTTPS in the following steps:

  1. Edit the httpd.conf configuration file in the /etc/httpd/conf directory.
    • The directory structure varies by Apache version. For more information, see Apache Module mod_rewrite.
    • The directory where httpd.conf is located is not unique. You can filter them by /etc/httpd/*.
  2. Check whether LoadModule rewrite_module modules/mod_rewrite.so is in it.
    • If yes, remove the comment symbol (#) in front of LoadModule rewrite_module modules/mod_rewrite.so and proceed to step 4.
    • Otherwise, proceed to step 3.
  3. Create a new *.conf file such as 00-rewrite.conf in /etc/httpd/conf.modules.d and add the following to it:
    LoadModule rewrite_module modules/mod_rewrite.so
  4. Add the following to the httpd.conf configuration file:
    <Directory "/var/www/html"> 
    # Add the following:
    RewriteEngine on
    RewriteCond %{SERVER_PORT} !^443$
    RewriteRule ^(.*)?$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R]
    </Directory>
  5. Restart the Apache server and it can be accessed using http://www.domain.com.

If anything goes wrong during this procedure, contact us.