Install an SSL certificate on Apache server

Install an SSL certificate on Apache server

Ali cloud service supports SSL Certificate to download the certificate installed Apache server, so that the Apache server supports HTTPS secure access. This article describes the operation of the specific certificate installed.

Prerequisites

• On your Apache server has opened port 443 (the default HTTPS port services).
• On your Apache server has been installed mode_ssl.so modules (enable SSL).
• In this document, the certificate name domain name as an example, for example: the file name of the certificate domain name_public.crt, the file name of the certificate chain domain name_chain.crt, certificate key file name domain name.key.
• When applying for a certificate if it is not selected automatically create CSR, the certificate will download the compressed package does not contain .key file.

DESCRIPTION .crt certificate file extension PEM format Base64-encoded text file may be modified as needed .pem like extension. Certificate format details, please refer to the mainstream digital certificate has what format?

Steps

1. Unzip the downloaded saved to the local Apache certificate file.
   After extracting the file folder there are three files:

   • Certificate file: The .crt suffix or file type.
   • Certificate chain file: the .crt suffix or file type.
   • Key documents: the .key suffix or file type.
2. In the new installation directory Apache cert directory, and extract the Apache certificate, the certificate chain and key files are copied to cert directory. If you need to install multiple certificates, required in the new directory, a corresponding number of Apache cert directory for storing different certificates.
   Description If you choose the application for a certificate manually create the CSR file, please manually generate a key file copied to create cert directory named domain name.key.
3. Modify the httpd.conf configuration file.
   1. In the Apache installation directory, open Apache / conf / httpd.conf file and find the following parameters are configured in the following annotation content.
       

      #LoadModule ssl_module modules/mod_ssl.so  #删除行首的配置语句注释符号“#”加载mod_ssl.so模块启用SSL服务，Apache默认是不启用该模块的。
      #Include conf/extra/httpd-ssl.conf  #删除行首的配置语句注释符号“#”。                 

      Description If you do not find the above statement httpd.conf configuration file, make sure that your Apache server already installed mod_ssl.so module. Executable yum install -y mod_sslcommand to install mode_ssl module.
   2. Save httpd.conf file and exit.
4. Modify httpd-ssl.conf profile.
   1. Open Apache / conf / extra / httpd- ssl.conf file and find the following parameters are configured in the following annotation content.
      Description Depending on the operating system, HTTP-file may also be stored in the ssl.conf conf.d / ssl.conf directory.

       

      <VirtualHost *:443>     
          ServerName   #修改为申请证书时绑定的域名www.YourDomainName1.com。                    
          DocumentRoot  /data/www/hbappserver/public          
          SSLEngine on   
          SSLProtocol all -SSLv2 -SSLv3 # 添加SSL协议支持协议，去掉不安全的协议。
          SSLCipherSuite HIGH:!RC4:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!EXP:+MEDIUM # 修改加密套件。 SSLHonorCipherOrder on SSLCertificateFile cert/domain name1_public.crt # 将domain name1_public.crt替换成您证书文件名。 SSLCertificateKeyFile cert/domain name1.key # 将domain name1.key替换成您证书的密钥文件名。 SSLCertificateChainFile cert/domain name1_chain.crt # 将domain name1_chain.crt替换成您证书的密钥文件名；证书链开头如果有#字符，请删除。 </VirtualHost> #如果证书包含多个域名，复制以上参数，并将ServerName替换成第二个域名。 <VirtualHost *:443> ServerName #修改为申请证书时绑定的第二个域名www.YourDomainName2.com。 DocumentRoot /data/www/hbappserver/public SSLEngine on SSLProtocol all -SSLv2 -SSLv3 # 添加SSL协议支持协议，去掉不安全的协议。 SSLCipherSuite HIGH:!RC4:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!EXP:+MEDIUM # 修改加密套件。 SSLHonorCipherOrder on SSLCertificateFile cert/domain name2_public.crt # 将domain name2替换成您申请证书时的第二个域名。 SSLCertificateKeyFile cert/domain name2.key # 将domain name2替换成您申请证书时的第二个域名。 SSLCertificateChainFile cert/domain name2_chain.crt # 将domain name2替换成您申请证书时的第二个域名；证书链开头如果有#字符，请删除。 </VirtualHost>

      Description should pay attention to your browser version supports SNI function. If you do not support multi-domain certificate configuration will not take effect.
   2. Save httpd-ssl.conf file and exit.
5. Restart the Apache server SSL configuration to take effect.
   Execute the following command in the bin directory of Apache:

   1. Stop the Apache service.
       

      apachectl -k stop

   2. Apache open service.
       

      apachectl -k start

6. Optional: Modify httpd.conf file, the HTTP request is provided automatically jump HTTPS.

   In httpd.conf file <VirtualHost *:80> </VirtualHost>intermediate, add the following redirect code.

    

   RewriteEngine on
   RewriteCond %{SERVER_PORT} !^443$ RewriteRule ^(.*)$ https://%{SERVER_NAME}$1 [L,R]

Next Steps

After the certificate is installed, you can log in by way of the binding domain of certificate validation certificate is installed successfully.

 

https://domain name   #domain name替换成证书绑定的域名。

If the web address bar appear small lock symbol, it indicates that the certificate is installed successfully.

• After DV / OV SSL digital certificates deployed on the server, when the user's browser to access the site, shown below:
• After the EV SSL digital certificates deployed on the server, when the user's browser to access the site, shown below:

Verification certificate is installed successfully, if the site can not be accessed via https normal, need to make sure you install the server certificate is on port 443 or other tool to intercept.