Apache for Linux

This document describes how to install a certificate on an Apache for Linux server.

Prerequisites

1. The certificate is in the Issued state.
2. You have obtained the certificate package.

Preparation

Install OpenSSL

Install OpenSSL first so that Apache can support SSL.

1. Download OpenSSL from http://www.openssl.org/source/.

2. Execute the following commands:

   tar -zxf openssl-1.*.**.tar.gz     // Decompress the package.
   cd openssl-1.*.**              // Change to the directory.
   ./config              // Complete the configuration. It is recommended that you use the default settings.
   make && make install
   

By default, OpenSSL is installed in the /usr/local/ssl directory.

Install Apache

./configure --prefix=/usr/local/apache --enable-so --enable-ssl --with-ssl=/usr/local/ssl --enable-mods-shared=all
// Complete the configuration. It is recommended that you use the dynamic compiler.
make && make install  

Dynamically compiling the Apache module facilitates module loading. Apache will be installed in the /usr/local/apache directory.

Install the server certificate

Obtain the server certificate

From the certificate issuing file, copy the server certificate content (including -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----) to a text file and save it with server.crt as the name.

Obtain CA certificates

From the certificate issuing file, copy the content of the two CA certificates (including -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----) to the same text file. Use a carriage return as the delimiter between the two certificates. Do not insert any blank line. Then, save the file as ca.crt.
If there is only one CA certificate, you only need to copy and save the content of the certificate to the text file.

Modify configuration files for Apache

1. Open the httpd.conf file in the conf folder of the Apache installation directory. Locate the following line:

   #LoadModule ssl_module modules/mod_ssl.so
   

2. Delete the comment sign (#) at the beginning.

3. Save and close the file.

4. Open the ssl.conf file in the conf folder in the Apache installation directory. Search for LoadModule ssl_module to locate the following lines:

   #LoadModule ssl_module modules/mod_ssl.so
   #Include conf/extra/httpd_ssl.conf
   

5. Delete the comment sign (#) at the beginning of each line.

6. Save and close the file.

7. Open the httpd-ssl.conf file in the conf/extra folder or the ssl.conf file in the conf folder in the Apache installation directory. Add or edit the following lines between <VirtualHost *:443> and </VirtualHost>:

   SSLProtocol all -SSLv2 -SSLv3
   SSLHonorCipherOrder on
   SSLCipherSuite HIGH:!RC4:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!EXP:+MEDIUM
   SSLCertificateFile conf/server.crt         # Set the server certificate path.
   SSLCertificateKeyFile conf/server.key    # Set the private key path for the server certificate.
   #SSLCertificateChainFile conf/ca.crt      # Delete the comment sign (#) at the beginning and set the CA certificate path.
   

8. Save and close the file.

9. Go to the bin directory in the Apache installation directory and run the following commands to restart Apache:

   ./apachectl -k stop   
   ./apachectl -k start
   

10. Use HTTPS to access your website to verify whether the certificates have been installed correctly.

Back up and restore a server certificate

After successfully installing the server certificate and completing configuration, back up the server certificate for further restoration.

Back up a server certificate

Back up the following files:

• Server certificate private key file server.key
• Server certificate file server.crt
• Server certificate CA certificate file ca.crt

Restore a server certificate

See the procedures for installing a server certificate. After restoring a server certificate, modify the configuration files for the server certificate to take effect.