How to install SSL/TLS Certificate on Apache Server | CentOS

Pre requirement: Before we can install the SSL/TLS Certificate on Apache make sure to have the Certificate acquired from the CA Authority.

Specification:

OS Version: CentOs 8.2 x64
Apache version: Apache/2.4.37 (centos)

By default there is no SSL support for Apache on CentOS so, we need to install it:

[root@bluegrid-edu ~]# yum install mod_ssl

After this command we can now find the Apache SSL configuration file /etc/httpd/conf.d/ssl.conf. This file is needed for Certificate to be installed.

Before we proceed let’s conclude the list of files we need to have:

  1. Certificate file (ex: domain.com.crt)
  2. Key file (ex: domain.com.key)
  3. CA Bundle (ex: domain.com.ca_bundle)

Let’s open the configuration file and locate necessary configuration lines in the file:

#   Point SSLCertificateFile at a PEM encoded certificate.  If
#   the certificate is encrypted, then you will be prompted for a
#   pass phrase.  Note that restarting httpd will prompt again.  Keep
#   in mind that if you have both an RSA and a DSA certificate you
#   can configure both in parallel (to also allow the use of DSA
#   ciphers, etc.)
#   Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt)
#   require an ECC certificate which can also be configured in
#   parallel.
SSLCertificateFile /etc/pki/tls/certs/localhost.crt

#   Server Private Key:
#   If the key is not combined with the certificate, use this
#   directive to point at the key file.  Keep in mind that if
#   you've both a RSA and a DSA private key you can configure
#   both in parallel (to also allow the use of DSA ciphers, etc.)
#   ECC keys, when in use, can also be configured in parallel
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

...

#   Certificate Authority (CA):
#   Set the CA certificate verification path where to find CA
#   certificates for client authentication or alternatively one
#   huge file containing all of them (file must be PEM encoded)
#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt

Apache SSL configuration requires two Certificate files; .crt and .key with optional .ca_bundle. Of course, just like with Nginx SSL installation on CentOS we can merge Certificate file and CA bundle. We also can uncomment the SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt and place the CA Bundle content in it. That is the approach we’ll use in this tutorial.

Installation of the SSL/TLS Certificate on Apache!

  • Check if SSL Certificate configuration directories exist:
[root@bluegrid-edu ~]# ls -l /etc/pki/tls/certs/ /etc/pki/tls/private/ /etc/pki/tls/certs/
/etc/pki/tls/certs/:
total 0
lrwxrwxrwx. 1 root root 49 Dec 11  2019 ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
lrwxrwxrwx. 1 root root 55 Dec 11  2019 ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt

/etc/pki/tls/certs/:
total 0
lrwxrwxrwx. 1 root root 49 Dec 11  2019 ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
lrwxrwxrwx. 1 root root 55 Dec 11  2019 ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt

/etc/pki/tls/private/:
total 0

Looks good!

  • Move Certificate files to configuration directories:
[root@bluegrid-edu ~]# mv domain.com.crt /etc/pki/tls/certs/domain.com.crt
[root@bluegrid-edu ~]# mv domain.com.key /etc/pki/tls/private/domain.com.key
[root@bluegrid-edu ~]# mv domain.com.ca_bundle.crt /etc/pki/tls/certs/domain.com.ca_bundle.crt
  • Now we can change the path to SSL Certificate files in the ssl.conf file and don’t forget to uncomment the CA Bundle path:
#   Point SSLCertificateFile at a PEM encoded certificate.  If
#   the certificate is encrypted, then you will be prompted for a
#   pass phrase.  Note that restarting httpd will prompt again.  Keep
#   in mind that if you have both an RSA and a DSA certificate you
#   can configure both in parallel (to also allow the use of DSA
#   ciphers, etc.)
#   Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt)
#   require an ECC certificate which can also be configured in
#   parallel.
SSLCertificateFile /etc/pki/tls/certs/domain.com.crt

#   Server Private Key:
#   If the key is not combined with the certificate, use this
#   directive to point at the key file.  Keep in mind that if
#   you've both a RSA and a DSA private key you can configure
#   both in parallel (to also allow the use of DSA ciphers, etc.)
#   ECC keys, when in use, can also be configured in parallel
SSLCertificateKeyFile /etc/pki/tls/private/domain.com.key

...

#   Certificate Authority (CA):
#   Set the CA certificate verification path where to find CA
#   certificates for client authentication or alternatively one
#   huge file containing all of them (file must be PEM encoded)
SSLCACertificateFile /etc/pki/tls/certs/domaiin.com.ca_bundle.crt
  • Restart the Apache:
[root@bluegrid-edu ~]# systemctl restart httpd
  • Test the HTTPS connection:
[root@bluegrid-edu ~]# curl -I https://domain.com
HTTP/1.1 200 OK
Date: Fri, 31 Jul 2020 22:11:06 GMT
Server: Apache/2.4.37 (centos) OpenSSL/1.1.1c
Last-Modified: Fri, 31 Jul 2020 16:54:22 GMT
ETag: "0-5abbfa40a7383"
Accept-Ranges: bytes
Content-Type: text/html; charset=UTF-8

That’s it, the HTTPS support is now active on this server.

Ivan Dabić

A man with a beard and glasses, wearing an orange hoodie and a black cap with a Hard Rock Cafe logo, stands with his arms crossed against a plain white background.

Ivan Dabić

Co-founder and CEO of BlueGrid.io, with a background in cloud infrastructure, distributed systems, monitoring, and security operations. He works closely with engineering teams to build and operate reliable systems while documenting both technical and organizational aspects of modern engineering work.

Ivan is a metalhead, and big fan of cyberpunk move genre. If you are his secret Santa go with Star Wars Lego box!

More from Ivan Dabić
Share this post

Share this link via

Or copy link