Malcolm 'Max' DeRungs

Apache web server SSL certificates

Crib notes for adding SSL certificates to an Apache web server on different Linux operating systems.

GlobalSign certificate > CentOS 7

In whatever download you get from a Certificate Authority, like GlobalSign, you’ll want to look for a server certificate, private key, and an intermediate certificate. They will look like <domain_name>.cer, <domain_name>.key, and something like GlobalSign RSA OV SSL CA 2018.cer files respectively. See more details on the GlobalSign site.

Rename the file extension *cer to *.crt, and replace spaces in the intermediate certificate name with underscores.

<public_domain_name>.cer
<public_domain_name>.key
GlobalSign_RSA_OV_SSL_CA_2018.cer

Secure copy these files to the server user’s home directory.

Create a “certs” directory, copy both server and intermediate certificate files into it, and then make sure both files are owned by root only with limited permissions.

mkdir /etc/pki/tls/certs
cp /home/<username>/GlobalSignRSAOVSSLCA2018.crt /etc/pki/tls/certs
cp /home/<username>/<public_domain_name>.crt /etc/pki/tls/certs
-rw-r--r-- root root

Create a “private” directory for the key file, copy the key file to the directory, make sure it is owned by root only with limited permissions.

mkdir /etc/pki/tls/private
cp /home/<username>/<public_domain_name>..key /etc/pki/tls/private
-rw-r--r-- root root

Create a backup of the default ssl.conf file if it exists (the following is based on CentOS7.x).

mv /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/x_ssl.conf.orig

Create a new ssl.conf file and configure the virtual host to display the certificate.

sudo nano /etc/httpd/conf.d/ssl.conf
<VirtualHost _default_:443>
  DocumentRoot "/var/www/html"
  ServerName <domain_name.something>
  #   Server Certificate:
  SSLCertificateFile /etc/pki/tls/certs/<public_domain_name>.crt
  #   Server Intermediate Certificate:
  SSLCertificateKeyFile /etc/pki/tls/certs/GlobalSign_RSA_OV_SSL_CA_2018.crt
  #   Server Private Key:
  SSLCertificateKeyFile /etc/pki/tls/private/<public_domain_name>.key

Save the file and test the configuration - apachectl configtest

No issues? Restart the web service - systemctl restart httpd

Enterprise certificate > CentOS 7

You’ll want a server certificate and private key for this one. In this case it will be <domain_name>.cer and <domain_name>.key files respectively.

Rename the file extension cer to crt, and replace spaces in the intermediate certificate name with underscores.

<internal_domain_name>.cer
<internal_domain_name>.key
GlobalSign_RSA_OV_SSL_CA_2018.cer

Secure copy these files to the server user’s home directory.

Create a “certs” directory, copy the server certificate file into it, and make sure the file is owned by root only with limited permissions.

mkdir /etc/pki/tls/certs
cp /home/<username>/<internal_domain_name>.crt /etc/pki/tls/certs
-rw-r--r-- root root

Create a “private” directory for the key file, copy the key file to the directory, and make sure it is owned by root only with limited permissions.

mkdir /etc/pki/tls/private
cp /home/<username>/<internal_domain_name>..key /etc/pki/tls/private
-rw-r--r-- root root

Create a backup of the default ssl.conf file if it exists (the following is based on CentOS7.x).

mv /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/x_ssl.conf.orig

Create a new ssl.conf file and configure the virtual host to display the certificate.

sudo nano /etc/httpd/conf.d/ssl.conf
<VirtualHost _default_:443>
  DocumentRoot "/var/www/html"
  ServerName <domain_name.something>
  #   Server Certificate:
  SSLCertificateFile /etc/pki/tls/certs/<internal_domain_name>.crt
  #   Server Private Key:
  SSLCertificateKeyFile /etc/pki/tls/private/<internal_domain_name>.key

Save the file and test the configuration - apachectl configtest.

No issues? Restart the web service - systemctl restart httpd.

GoDaddy Certificate > Ubuntu

Request the certificate. Receive validation email (10 minutes?). Download and extract the certificate ZIP file. Look for one KEY file and two CRT files – an SSL certificate that (e.g. abeiakal129lai831jc.crt) and a GoDaddy intermediate certificate (e.g. gd_bundle-g2-1.crt). Rename the former to <my_domain.whatever>.crt and the latter to intermediate.crt.

Secure copy the files to the web server user’s home directory.

scp -P 44444 /Users/<username>/Desktop/godaddy_certs/* username@xxx.xxx.xxx.xxx:/home/username

On the web server, change to root user, copy the key and certificates to /etc/ssl, where only root has access.

sudo su -
cp /home/username/<my_domain.whatever>.key /etc/ssl/private
cp /home/username/<my_domain.whatever>.crt /etc/ssl/cert
cp /home/username/intermediate.crt /etc/ssl

Be sure the firewall allows port 443 (HTTPS) - iptables -S.

Activate the SSL module - a2enmod ssl.

Edit SSL the configuration.

nano /etc/apache2/sites-available/default-ssl.conf
# SSLCertificateFile directive is needed.
SSLCertificateFile /etc/ssl/certs/<my_domain.whatever>.crt
SSLCertificateKeyFile /etc/ssl/private/<my_domain.whatever>.key
# Certificate Authority (CA):
SSLCACertificateFile /etc/ssl/intermediate.crt
<VirtualHost *:80>
  ServerName <my_domain.whatever>
  Redirect permanent / https://<my_domain.whatever>/
</VirtualHost>

Set the default HTTPS site and redirect port 80 traffic to port 443.

sudo nano /etc/apache2/sites-available/000-default.conf
<VirtualHost *:443>
 #ServerName www.example.com
    ServerName <my_domain.whatever>
# SSL Engine
    SSLEngine on
    SSLCertificateFile   /etc/ssl/certs/<my_domain.whatever>.crt
    SSLCertificateKeyFile  /etc/ssl/private/<my_domain.whatever>.key
    SSLCACertificateFile  /etc/ssl/intermediate.crt
</VirtualHost>
<VirtualHost *:80>
    ServerName <my_domain>com
    Redirect permanent / https://<my_domain.whatever>/
</VirtualHost>

Restart Apache2 - sudo systemctl restart apache2.service