Certificate Management Service allows you to download and install a certificate on an Apache server. This way, the Apache server is accessible over HTTPS. This topic describes how to install an SSL certificate on an Apache server.

Prerequisites

Procedure

Notice In this example, the certificate name is domain name, the name of the certificate authority (CA) certificate file is domain name_public.crt, the name of the certificate chain file is domain name_chain.crt, and the name of the certificate key file is domain name.key.
  1. Decompress the certificate package for Apache that you downloaded to your computer.
    The following three files are extracted from the package:
    • CA certificate file: a .crt file.
    • Certificate chain file: a .crt file.
    • Certificate key file: a .key file.
    Certificate files
    Note
    • If you select Manual or Select Existing CSR for CSR Generation when you apply for the certificate, the downloaded certificate package does not contain the .key file.

    • A .crt certificate file is a Base64-encoded PEM file. You can change the file name extension to .pem based on your business requirements.

  2. Create a directory named cert in the installation directory of Apache. Then, copy the CA certificate file, certificate chain file, and certificate key file that you obtained to the cert directory.
    To install multiple certificates, create the required number of cert directories in the installation directory of Apache to separately store the certificates.
    Note If you select Manual for CSR Generation when you apply for the certificate, copy the certificate key file that you manually create to the cert directory and rename the certificate key file domain name.key.
  3. Modify the httpd.conf configuration file.
    1. Find and open the httpd.conf configuration file in the Apache/conf/ directory.
      Note The Apache/conf/ directory is the default installation directory of Apache. If you use a different directory, you must find the httpd.conf configuration file in the directory in which the file is stored.
    2. Find the following parameters in the httpd.conf configuration file and configure them based on the following comments:
      #LoadModule ssl_module modules/mod_ssl.so  # Delete the number sign (#) at the beginning of the line to load the mod_ssl.so module and enable the SSL service. By default, this module is disabled on Apache servers. 
      #Include conf/extra/httpd-ssl.conf  # Delete the number sign (#) at the beginning of the line.                  
      Note If you cannot find the preceding parameters in the httpd.conf configuration file, check whether the mod_ssl.so module is installed on your Apache server. You can run the yum install -y mod_ssl command to install the mod_ssl.so module.
    3. Save the httpd.conf configuration file and exit.
  4. Modify the httpd-ssl.conf configuration file.
    1. Find and open the httpd-ssl.conf configuration file in the Apache/conf/extra/ directory.
      Note The directory in which the configuration file is stored varies based on the operating system. The http-ssl.conf configuration file may be stored in the conf.d/ssl.conf directory.
    2. Find the following parameters in the httpd-ssl.conf configuration file and configure them based on the following comments.
      <VirtualHost *:443>     
          ServerName   # Set ServerName to the domain name that you add when you apply for your certificate.                  
          DocumentRoot  /data/www/hbappserver/public          
          SSLEngine on   
          SSLProtocol all -SSLv2 -SSLv3 # Add supported SSL protocols and remove the protocols that are not secure. 
          SSLCipherSuite HIGH:!RC4:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!EXP:+MEDIUM   # Modify the cipher suite. 
          SSLHonorCipherOrder on
          SSLCertificateFile cert/domain name1_public.crt   # Replace domain name1_public.crt with the name of your CA certificate file. 
          SSLCertificateKeyFile cert/domain name1.key   # Replace domain name1.key with the name of your certificate key file. 
          SSLCertificateChainFile cert/domain name1_chain.crt  # Replace domain name1_chain.crt with the name of your certificate chain file. If the name starts with a number sign (#), delete the number sign. 
      </VirtualHost>
      
      # If your certificate contains multiple domain names, copy the preceding parameters, and set ServerName to a different domain name.  
      <VirtualHost *:443>     
          ServerName   # Set ServerName to a different domain name that you add when you apply for your certificate.                     
          DocumentRoot  /data/www/hbappserver/public          
          SSLEngine on   
          SSLProtocol all -SSLv2 -SSLv3 # Add supported SSL protocols and remove the protocols that are not secure. 
          SSLCipherSuite HIGH:!RC4:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!EXP:+MEDIUM   # Modify the cipher suite. 
          SSLHonorCipherOrder on
          SSLCertificateFile cert/domain name2_public.crt   # Replace domain name2 with a different domain name that you add when you apply for your certificate. 
          SSLCertificateKeyFile cert/domain name2.key   # Replace domain name2 with a different domain name that you add when you apply for your certificate. 
          SSLCertificateChainFile cert/domain name2_chain.crt  # Replace domain name2 with a different domain name that you add when you apply for your certificate. If the name starts with a number sign (#), delete the number sign. 
      </VirtualHost>
      Notice Check whether your browser version supports server name indication (SNI). If your browser version does not support SNI, the configuration of a multi-domain certificate does not take effect.
    3. Save the httpd-ssl.conf configuration file and exit.
  5. Optional:Modify the httpd.conf configuration file to configure automatic redirection of HTTP requests to HTTPS requests.

    Add the following redirection code to <VirtualHost *:80> </VirtualHost> in the httpd.conf configuration file:

    RewriteEngine on
    RewriteCond %{SERVER_PORT} !^443$
    RewriteRule ^(.*)$ https://%{SERVER_NAME}$1 [L,R]
  6. Restart your Apache server to make the SSL configuration take effect.
    Run the following commands in the bin directory of Apache:
    1. Run the apachectl -k stop command to stop the Apache service.
    2. Run the apachectl -k start command to start the Apache service.

What to do next

After you install a certificate, you can access the domain name that is bound to the certificate to verify whether the certificate is installed.
https://yourdomain   # Replace yourdomain with the domain name that is bound to your certificate. 

If a lock icon appears in the address bar, the certificate is installed.

If your domain name is inaccessible over HTTPS after the certificate is installed, check whether port 443 on the server where you install the certificate is enabled or blocked by other tools. If you use an Alibaba Cloud Elastic Compute Service (ECS) instance, log on to the ECS console and allow traffic over port 443 on the Security Groups page.