How to install SSL/TLS Certificate on Apache Server | CentOS

Post by Ivan Dabić
Subscribe to our blog articles!
July 31, 2020 | 5 minutes read

Pre requirement: Before we can install the SSL/TLS Certificate on Apache make sure to have the Certificate acquired from the CA Authority.

Specification:

OS Version: CentOs 8.2 x64
Apache version: Apache/2.4.37 (centos)

By default there is no SSL support for Apache on CentOS so, we need to install it:

[root@bluegrid-edu ~]# yum install mod_ssl

After this command we can now find the Apache SSL configuration file /etc/httpd/conf.d/ssl.conf. This file is needed for Certificate to be installed.

Before we proceed let’s conclude the list of files we need to have:

  1. Certificate file (ex: domain.com.crt)
  2. Key file (ex: domain.com.key)
  3. CA Bundle (ex: domain.com.ca_bundle)

Let’s open the configuration file and locate necessary configuration lines in the file:

#   Point SSLCertificateFile at a PEM encoded certificate.  If
#   the certificate is encrypted, then you will be prompted for a
#   pass phrase.  Note that restarting httpd will prompt again.  Keep
#   in mind that if you have both an RSA and a DSA certificate you
#   can configure both in parallel (to also allow the use of DSA
#   ciphers, etc.)
#   Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt)
#   require an ECC certificate which can also be configured in
#   parallel.
SSLCertificateFile /etc/pki/tls/certs/localhost.crt

#   Server Private Key:
#   If the key is not combined with the certificate, use this
#   directive to point at the key file.  Keep in mind that if
#   you've both a RSA and a DSA private key you can configure
#   both in parallel (to also allow the use of DSA ciphers, etc.)
#   ECC keys, when in use, can also be configured in parallel
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

...

#   Certificate Authority (CA):
#   Set the CA certificate verification path where to find CA
#   certificates for client authentication or alternatively one
#   huge file containing all of them (file must be PEM encoded)
#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt

Apache SSL configuration requires two Certificate files; .crt and .key with optional .ca_bundle. Of course, just like with Nginx SSL installation on CentOS we can merge Certificate file and CA bundle. We also can uncomment the SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt and place the CA Bundle content in it. That is the approach we’ll use in this tutorial.

Installation of the SSL/TLS Certificate on Apache!

  • Check if SSL Certificate configuration directories exist:
[root@bluegrid-edu ~]# ls -l /etc/pki/tls/certs/ /etc/pki/tls/private/ /etc/pki/tls/certs/
/etc/pki/tls/certs/:
total 0
lrwxrwxrwx. 1 root root 49 Dec 11  2019 ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
lrwxrwxrwx. 1 root root 55 Dec 11  2019 ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt

/etc/pki/tls/certs/:
total 0
lrwxrwxrwx. 1 root root 49 Dec 11  2019 ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
lrwxrwxrwx. 1 root root 55 Dec 11  2019 ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt

/etc/pki/tls/private/:
total 0

Looks good!

  • Move Certificate files to configuration directories:
[root@bluegrid-edu ~]# mv domain.com.crt /etc/pki/tls/certs/domain.com.crt
[root@bluegrid-edu ~]# mv domain.com.key /etc/pki/tls/private/domain.com.key
[root@bluegrid-edu ~]# mv domain.com.ca_bundle.crt /etc/pki/tls/certs/domain.com.ca_bundle.crt
  • Now we can change the path to SSL Certificate files in the ssl.conf file and don’t forget to uncomment the CA Bundle path:
#   Point SSLCertificateFile at a PEM encoded certificate.  If
#   the certificate is encrypted, then you will be prompted for a
#   pass phrase.  Note that restarting httpd will prompt again.  Keep
#   in mind that if you have both an RSA and a DSA certificate you
#   can configure both in parallel (to also allow the use of DSA
#   ciphers, etc.)
#   Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt)
#   require an ECC certificate which can also be configured in
#   parallel.
SSLCertificateFile /etc/pki/tls/certs/domain.com.crt

#   Server Private Key:
#   If the key is not combined with the certificate, use this
#   directive to point at the key file.  Keep in mind that if
#   you've both a RSA and a DSA private key you can configure
#   both in parallel (to also allow the use of DSA ciphers, etc.)
#   ECC keys, when in use, can also be configured in parallel
SSLCertificateKeyFile /etc/pki/tls/private/domain.com.key

...

#   Certificate Authority (CA):
#   Set the CA certificate verification path where to find CA
#   certificates for client authentication or alternatively one
#   huge file containing all of them (file must be PEM encoded)
SSLCACertificateFile /etc/pki/tls/certs/domaiin.com.ca_bundle.crt
  • Restart the Apache:
[root@bluegrid-edu ~]# systemctl restart httpd
  • Test the HTTPS connection:
[root@bluegrid-edu ~]# curl -I https://domain.com
HTTP/1.1 200 OK
Date: Fri, 31 Jul 2020 22:11:06 GMT
Server: Apache/2.4.37 (centos) OpenSSL/1.1.1c
Last-Modified: Fri, 31 Jul 2020 16:54:22 GMT
ETag: "0-5abbfa40a7383"
Accept-Ranges: bytes
Content-Type: text/html; charset=UTF-8

That’s it, the HTTPS support is now active on this server.

Share this post

Share this link via

Or copy link