[Actual] apache configuration ssl certificate

Prerequisites

• OpenSSL is installed.
• In this document, the certificate name domain name as an example, such as the certificate file name domain name_public.crt, the file name of the certificate chain domain name_chain.crt, certificate key file name domain name.key.
• When applying for a certificate if it is not selected automatically create CSR, the certificate will download the compressed package does not contain .key file.

 

DESCRIPTION  .crt certificate file extension PEM format Base64-encoded text file may be modified as needed .pem like extension. Certificate format details, please refer to the mainstream digital certificate has what format? .

Steps

1. Log Ali cloud Ali cloud SSL Certificates console .
2. In the SSL Certificate page, click Issued tag, navigate to the certificate need to download and click the bottom right corner of the certificate card download, open the certificate download side of the page.
   
3. In the positioning side of the page to download the certificate to the Apache server, click to the right of the action bar download. If you need to install multiple certificates, you need to download these certificates in SSL console.
   
   Download the complete Apache compressed version of the certificate package, and saves it to.
4. Unzip the downloaded saved to the local Apache certificate file.
   After extracting the file folder there are three files:

   • Certificate file: The .crt suffix or file type.
   • Certificate chain file: the .crt suffix or file type.
   • Key documents: the .key suffix or file type.
5. 在Apache安装目录中新建cert目录，并将解压的Apache证书、 证书链文件和密钥文件拷贝到cert目录中。如果需要安装多个证书，需在Apache目录中新建对应数量的cert目录，用于存放不同的证书 。
    

   说明 如果申请证书时选择了 手动创建CSR文件，请将手动生成创建的密钥文件拷贝到cert目录中并命名为domain name.key。
6. 修改httpd.conf配置文件。
   1. 在Apache安装目录下，打开Apache/conf/httpd.conf文件，并找到以下参数，按照下文中注释内容进行配置。
       

      #LoadModule ssl_module modules/mod_ssl.so  #删除行首的配置语句注释符号“#”加载mod_ssl.so模块启用SSL服务，Apache默认是不启用该模块的。如果找不到该配置，请重新编译mod_ssl模块。
      #Include conf/extra/httpd-ssl.conf #删除行首的配置语句注释符号“#”。 

   2. 保存httpd.conf文件并退出。
7. 修改httpd-ssl.conf配置文件。
   1. 打开Apache/conf/extra/httpd-ssl.conf文件并找到以下参数，按照下文中注释内容进行配置。 证书路径建议使用绝对路径。
       

      说明 根据操作系统的不同， http-ssl.conf文件也可能存放在conf.d/ssl.conf目录中。

       

      <VirtualHost *:443>     
          ServerName   #修改为申请证书时绑定的域名www.YourDomainName1.com。                    
          DocumentRoot  /data/www/hbappserver/public          
          SSLEngine on   
          SSLProtocol all -SSLv2 -SSLv3 # 添加SSL协议支持协议，去掉不安全的协议。 SSLCipherSuite HIGH:!RC4:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!EXP:+MEDIUM # 修改加密套件。 SSLHonorCipherOrder on SSLCertificateFile cert/domain name1_public.crt # 将domain name1_public.crt替换成您证书文件名。 SSLCertificateKeyFile cert/domain name1.key # 将domain name1.key替换成您证书的密钥文件名。 SSLCertificateChainFile cert/domain name1_chain.crt # 将domain name1_chain.crt替换成您证书的密钥文件名；证书链开头如果有#字符，请删除。 </VirtualHost> #如果证书包含多个域名，复制以上参数，并将ServerName替换成第二个域名。 <VirtualHost *:443> ServerName #修改为申请证书时绑定的第二个域名www.YourDomainName2.com。 DocumentRoot /data/www/hbappserver/public SSLEngine on SSLProtocol all -SSLv2 -SSLv3 # 添加SSL协议支持协议，去掉不安全的协议。 SSLCipherSuite HIGH:!RC4:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!EXP:+MEDIUM # 修改加密套件。 SSLHonorCipherOrder on SSLCertificateFile cert/domain name2_public.crt # 将domain name2替换成您申请证书时的第二个域名。 SSLCertificateKeyFile cert/domain name2.key # 将domain name2替换成您申请证书时的第二个域名。 SSLCertificateChainFile cert/domain name2_chain.crt # 将domain name2替换成您申请证书时的第二个域名；证书链开头如果有#字符，请删除。 </VirtualHost>

       

      说明 需注意您的浏览器版本是否支持SNI功能，如果不支持，多域名证书配置将无法生效。
   2. 保存httpd-ssl.conf文件并退出。
8. 重启Apache服务器使SSL配置生效。
   Execute the following command in the bin directory of Apache:

   1. Stop the Apache service.
       

      apachectl -k stop

   2. Apache open service.
       

      apachectl -k start

9. Optional:  Modify httpd.conf file, the HTTP request is provided automatically jump HTTPS.

   In httpd.conf file <VirtualHost *:80> </VirtualHost>intermediate, add the following redirect code.

    

   RewriteEngine on
   RewriteCond %{SERVER_PORT} !^443$ RewriteRule ^(.*)$ https://%{SERVER_NAME}$1 [L,R]

Next Steps

After the certificate is installed, you can log in by way of the binding domain of certificate validation certificate is installed successfully.

 

https://domain name   #domain name替换成证书绑定的域名

If the web address bar appear small lock symbol, it indicates that the certificate is installed successfully.

• After DV SSL digital certificates deployed on the server, when the user's browser to access the site, shown below:
• After OV SSL digital certificates deployed on the server, when the user's browser to access the site, shown below:
• After the EV SSL digital certificates deployed on the server, when the user's browser to access the site, shown below:

Verification certificate is installed successfully, if the site can not be accessed via https normal, need to make sure you install the server certificate is on port 443 or other tool to intercept.