All Products
Search
Document Center

Certificate Management Service:Install SSL certificates on Apache servers

Last Updated:Jan 19, 2024

This topic describes how to install an SSL certificate on an Apache server, including downloading and uploading a certificate file, configuring related parameters on the Apache server, and verifying the installation result. The parameters include those related to the certificate file, certificate chain, and certificate key. After the certificate is installed, you can access the Apache server over HTTPS, which ensures the security of data transmission.

Important

This topic provides an example on how to install a certificate on an Apache 2.4.7 server that runs a CentOS operating system. The installation process may vary based on the version of the operating system or web server. If you have questions, contact your account manager.

Prerequisites

  • A certificate is issued by using the Certificate Management Service console. For more information, see Purchase an SSL certificate and Submit a certificate application.
  • DNS resolution is complete on the domain name that is bound to the certificate. The domain name is resolved to an IP address. You can use the DNS verification tool to check whether the DNS record of the domain name takes effect. For more information, see Verify the DNS record of your domain name.
  • The mod_ssl.so module is installed on your Apache server. This module is used to enable SSL encryption.

    If the module is not installed, you can run the yum install -y mod_ssl command to install the module. After you run the command, you can run the httpd -M | grep 'ssl' command to check whether the mod_ssl.so module is successfully installed on your Apache server.

    The following command output shows that the module is successfully installed.

    image..png

Step 1: Download the certificate

  1. Log on to the Certificate Management Service console.
  2. In the left-side navigation pane, click SSL Certificates.
  3. On the Log on to the Certificate Management Service console. page, find the certificate that you want to manage and click Download in the Actions column.
  4. Find Apache in the Server Type column and click Download in the Actions column.

    image..png

  5. Decompress the downloaded certificate package.

    The following table describes the files that you can extract from the package. The files vary based on the CSR generation method that you use when you submit the certificate application.

    Value of the CSR Generation parameter

    File extracted from the certificate package

    Automatic

    • Certificate file in the CRT format: By default, the certificate file is named in the Domain name bound to the certificate_public format. The CRT certificate file is encoded in Base64.

    • Certificate chain file in the CRT format: By default, the certificate chain file is named in the Domain name bound to the certificate_chain format.

    • Private key file in the KEY format: By default, the private key file is named in the Domain name bound to the certificate format.

    Manual

    • If you specify a CSR that is created in the Certificate Management Service console, the certificate file that is extracted from the downloaded certificate package is the same as the certificate file that is obtained in scenarios when you set CSR Generation to Automatic.

    • If the specified CSR is not created in the Certificate Management Service console, only the PEM certificate file can be extracted from the downloaded certificate package. The password file or private key file cannot be extracted. You can use the certificate toolkit to convert your certificate file, password file, or private key file to the required format. For more information about how to convert certificate formats, see Convert the format of a certificate.

Step 2: Install the certificate on the Apache server

  1. Run the following commands to create a directory named cert in the installation directory of Apache.

    1. Run the following command to go to the installation directory of Apache:

      cd /etc/httpd/ # Go to the default installation directory of Apache that is installed by using yum. If you have changed the directory or installed Apache by using other methods, specify the actual directory.
    2. Run the following command to create a directory named cert:

      mkdir cert # Create a directory named cert.
  2. Upload the certificate file and password file to the certificate directory (/etc/httpd/cert) of the Apache server.

    Note

    You can upload the file by using the file upload feature of a remote logon tool, such as PuTTY, Xshell, and WindSCP. For more information about how to upload a file to an Alibaba Cloud Elastic Compute Service, see Use mstsc.exe to upload a file to a Windows instance or Upload a file to a Linux instance.

  3. Modify the certificate-related settings in the httpd.conf and ssl.conf configuration files.

    1. Find the LoadModule ssl_module modules/mod_ssl.so parameter that is used to load the mod_ssl.so module and enable SSL encryption, and find the Include conf.modules.d/*.conf parameter that is used to load the SSL configuration directory. Check whether comments that start with the number sign (#) are added to the parameters. If yes, remove the comments.

      Important

      The configuration files that contain the parameters vary based on the operating system and the installation method of Apache. The following list describes the configuration files that contain the parameters:

      • conf.modules.d/00-ssl.conf: This file contains the LoadModule ssl_module modules/mod_ssl.so parameter.

      • httpd.conf: This file contains the Include conf.modules.d/*.conf parameter.

      • http-ssl.conf

      If you cannot find the preceding parameters, check whether the mod_ssl.so module is installed on the Apache server. If the module is not installed, you can run the yum install -y mod_ssl command to install the module. After you run the command, you can run the httpd -M | grep 'ssl' command to check whether the mod_ssl.so module is successfully installed on the Apache server.

    2. Run the following command to open the ssl.conf configuration file:

      vim /etc/httpd/conf.d/ssl.conf
      Important

      The name of the configuration file and the directory in which the configuration file is stored vary based on your operating system. If you cannot find the ssl.conf file, check whether the conf/extra/http-ssl.conf configuration file exists in the installation directory of Apache.

    3. Find the following parameters in the ssl.conf configuration file and configure the parameters based on the following comments:

      <VirtualHost *:443> 
       ServerName # Set ServerName to the domain name that you add to the certificate.  
       SSLCertificateFile cert/domain_name_public.crt # Replace domain_name_public.crt with the name of your certificate file. 
       SSLCertificateKeyFile cert/domain_name.key # Replace domain_name.key with the name of your private key file. 
       SSLCertificateChainFile cert/domain_name_chain.crt # Replace domain_name_chain.crt with the name of your certificate chain file. If the name starts with a number sign (#), delete the number sign. 
       
       # Specify the Transport Layer Security (TLS) protocols and custom cipher suites that you want to use. The following sample code is only for reference.
       # A later TLS version offers higher security but lower compatibility with browsers. 
       #SSLProtocol all -SSLv2 -SSLv3 # Add supported SSL protocols and remove the protocols that are not secure. 
       #SSLCipherSuite HIGH:!RC4:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!EXP:+MEDIUM # Modify the cipher suite. 
      </VirtualHost>
      
      # If your certificate contains multiple domain names, copy the VirtualHost parameter, and set ServerName to a different domain name.  
      <VirtualHost *:443> 
       ServerName # Set ServerName to a different domain name that you add to the certificate.  
       SSLCertificateFile cert/domain_name2_public.crt # Replace domain_name2 with the different domain name. 
       SSLCertificateKeyFile cert/domain_name2.key # Replace domain_name2 with the different domain name. 
       SSLCertificateChainFile cert/domain_name2_chain.crt # Replace domain_name2 with the different domain name. If the name starts with a number sign (#), delete the number sign. 
       
       SSLEngine on 
       SSLHonorCipherOrder on
       # Specify the TLS protocols and custom cipher suites that you want to use. The following sample code is only for reference.
       # A later TLS version offers higher security but lower compatibility with browsers. 
       #SSLProtocol all -SSLv2 -SSLv3 # Add supported SSL protocols and remove the protocols that are not secure. 
       #SSLCipherSuite HIGH:!RC4:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!EXP:+MEDIUM # Modify the cipher suite. 
      </VirtualHost>
      Important

      Check whether your browser version supports server name indication (SNI). If your browser version does not support SNI, the configuration of a multi-domain certificate does not take effect.

    4. Optional. Modify the httpd.conf configuration file to configure automatic redirection of HTTP requests to HTTPS requests.

      Add the following redirection code to the httpd.conf configuration file:

      RewriteEngine on
      RewriteCond %{SERVER_PORT} !^443$
      RewriteRule ^(.*)$ https://%{SERVER_NAME}$1 [L,R]
  4. Restart the Apache service to make the preceding configuration take effect.

    1. Run the apachectl -k stop command to stop the Apache service.

    2. Run the apachectl -k start command to start the Apache service.

Step 3: Check whether the certificate is installed

After you install a certificate, you can access the domain name that is bound to the certificate to verify whether the certificate is installed.

https://yourdomain   # Replace yourdomain with the domain name that is bound to your certificate.

If a lock icon appears in the address bar, the certificate is installed.

image..png

References