Pre requirement: Before we can install the SSL/TLS Certificate on Apache make sure to have the Certificate acquired from the CA Authority.
OS Version: CentOs 8.2 x64
Apache version: Apache/2.4.37 (centos)
By default there is no SSL support for Apache on CentOS so, we need to install it:
[root@bluegrid-edu ~]# yum install mod_ssl
After this command we can now find the Apache SSL configuration file /etc/httpd/conf.d/ssl.conf. This file is needed for Certificate to be installed.
Before we proceed let’s conclude the list of files we need to have:
- Certificate file (ex: domain.com.crt)
- Key file (ex: domain.com.key)
- CA Bundle (ex: domain.com.ca_bundle)
Let’s open the configuration file and locate necessary configuration lines in the file:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that restarting httpd will prompt again. Keep
# in mind that if you have both an RSA and a DSA certificate you
# can configure both in parallel (to also allow the use of DSA
# ciphers, etc.)
# Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt)
# require an ECC certificate which can also be configured in
# parallel.
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
# ECC keys, when in use, can also be configured in parallel
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
...
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
Apache SSL configuration requires two Certificate files; .crt
and .key
with optional .ca_bundle
. Of course, just like with Nginx SSL installation on CentOS we can merge Certificate file and CA bundle. We also can uncomment the SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
and place the CA Bundle content in it. That is the approach we’ll use in this tutorial.
Installation of the SSL/TLS Certificate on Apache!
- Check if SSL Certificate configuration directories exist:
[root@bluegrid-edu ~]# ls -l /etc/pki/tls/certs/ /etc/pki/tls/private/ /etc/pki/tls/certs/
/etc/pki/tls/certs/:
total 0
lrwxrwxrwx. 1 root root 49 Dec 11 2019 ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
lrwxrwxrwx. 1 root root 55 Dec 11 2019 ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
/etc/pki/tls/certs/:
total 0
lrwxrwxrwx. 1 root root 49 Dec 11 2019 ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
lrwxrwxrwx. 1 root root 55 Dec 11 2019 ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
/etc/pki/tls/private/:
total 0
Looks good!
- Move Certificate files to configuration directories:
[root@bluegrid-edu ~]# mv domain.com.crt /etc/pki/tls/certs/domain.com.crt
[root@bluegrid-edu ~]# mv domain.com.key /etc/pki/tls/private/domain.com.key
[root@bluegrid-edu ~]# mv domain.com.ca_bundle.crt /etc/pki/tls/certs/domain.com.ca_bundle.crt
- Now we can change the path to SSL Certificate files in the
ssl.conf
file and don’t forget to uncomment the CA Bundle path:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that restarting httpd will prompt again. Keep
# in mind that if you have both an RSA and a DSA certificate you
# can configure both in parallel (to also allow the use of DSA
# ciphers, etc.)
# Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt)
# require an ECC certificate which can also be configured in
# parallel.
SSLCertificateFile /etc/pki/tls/certs/domain.com.crt
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
# ECC keys, when in use, can also be configured in parallel
SSLCertificateKeyFile /etc/pki/tls/private/domain.com.key
...
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
SSLCACertificateFile /etc/pki/tls/certs/domaiin.com.ca_bundle.crt
- Restart the Apache:
[root@bluegrid-edu ~]# systemctl restart httpd
- Test the HTTPS connection:
[root@bluegrid-edu ~]# curl -I https://domain.com
HTTP/1.1 200 OK
Date: Fri, 31 Jul 2020 22:11:06 GMT
Server: Apache/2.4.37 (centos) OpenSSL/1.1.1c
Last-Modified: Fri, 31 Jul 2020 16:54:22 GMT
ETag: "0-5abbfa40a7383"
Accept-Ranges: bytes
Content-Type: text/html; charset=UTF-8
That’s it, the HTTPS support is now active on this server.
Related article: How to install SSL/TLS Certificate on Nginx Server | CentOS