Share this page : facebooktwitterlinkedinmailfacebooktwitterlinkedinmail
Step one: get your server ready

An Overview of Security-Related Packages

To enable the secure server, you must have the following packages installed at a minimum:
httpd
The httpd package contains the httpd daemon and related utilities, configuration files, icons, Apache HTTP Server modules, man pages, and other files used by the Apache HTTP Server.
mod_ssl
The mod_ssl package includes the mod_ssl module, which provides strong cryptography for the Apache HTTP Server via the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols.
openssl
The openssl package contains the OpenSSL toolkit. The OpenSSL toolkit implements the SSL and TLS protocols, and also includes a general purpose cryptography library.

User below command to install:

sudo yum install httpd mod_ssl openssl

Check that mod_ssl is properly installed:

# rpm -q mod_ssl
mod_ssl-2.4.6-80.el7.x86_64

And is loaded as a module into httpd server:

# apachectl -M | grep ssl
 ssl_module (shared)

The mod_ssl configuration file is sitting at: /etc/httpd/conf.d/ssl.conf. We need to enable Apache from reading configuration files here.

Note: Enable the Apache to load configuration file from conf.d, which is disabled by default on RHEL/CentOS.

Uncomment below to IncludeOptional conf.d/*.conf):

Step two: apply for the ssl certificate

Once you’ve got an approval of your certificate from the Certificate Authority (CA), you will have email, which will contain an encryption key valuables in hash algorithm such as;

-----BEGIN CERTIFICATE----- 
MIAGCSqGSIb3DQEHAqCAMIACAQExADALBgkqhkiG9w0BBwGggDCCAmowggHXAhAF 
UbM77e50M63v1Z2A/5O5MA0GCSqGSIb3DQEOBAUAMF8xCzAJBgNVBAYTAlVTMSAw 
(.......) 
E+cFEpf0WForA+eRP6XraWw8rTN8102zGrcJgg4P6XVS4l39+l5aCEGGbauLP5W6 
K99c42ku3QrlX2+KeDi+xBG2cEIsdSiXeQS/16S36ITclu4AADEAAAAAAAAA 
-----END CERTIFICATE-----

Or you can apply free SSL from https://www.sslforfree.com/, which only valid for about 100 days but completely free.

Wildcard or not

For paid version, you can apply certificate which will effective for *.example.com, but for the free version from sslforfree.com, we need to apply two versions.

I will apply two copies of ssl certificate, one for www.example.com and one for example.com.

Now you have two copies of three files, certificate file certificate.crt, Private key file private.key, CA bundle file Ca_bundle.crt.

To confirm that you have applied for the correct domain name, use command below to get the CN name from certificate:

 

# openssl x509 -noout -text -in certificate.crt | grep CN

 

 

Step Three

Upload the files via FTP, then rename to CN_name.crt

Now, you’ll want to create below directories and store the cert files for www.example.com on the following directory, which you’re going to keep all your certificate files;

Example: /etc/httpd/conf/ssl.crt/ , /etc/httpd/conf/ssl.key, /etc/httpd/conf/ca-bundle.

Then we edit the /etc/httpd/conf.d/ssl.conf to use the certificate:

......
Listen 443 https
......

<VirtualHost *:443>

DocumentRoot "/var/www/html"

#Below need to match the CN of your certificate
ServerName www.youdomain.com:443

# Use separate log files for the SSL virtual host; note that LogLevel
# is not inherited from httpd.conf.
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn

# SSL Engine Switch:
SSLEngine on

# SSL Protocol support:
SSLProtocol all -SSLv2 -SSLv3

SSLCipherSuite HIGH:3DES:!aNULL:!MD5:!SEED:!IDEA

# Server Certificate:

SSLCertificateFile /etc/httpd/conf/ssl.crt/melbournecityit.com.au.crt

# Server Private Key:
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/melbournecityit.com.au.key

# Server Certificate Chain (CA bundle):
SSLCertificateChainFile /etc/httpd/conf/ca-bundle/melbournecityit.com.au.crt

.....................

</VirtualHost>

To force the website redirect http traffice to https:

edit the .htaccess file under the website root directory:

RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

 

Verify your SSL certificate installation:

You can use below command to verify the HTTPS status:

openssl s_client -connect www.example.com:443

Or open a browser and test

Now you will find the https://www.example.com is running well, but if you type https://example.com, it will tell you the site is not safe. If you click the advanced tab on desktop, you will find, it says the certificate is for www.example.com, but not example.com. Sounds stupid, but this how it strict with non wildcard certificate.

 

We will copy the other copy of cert files to /etc/httpd/conf/nonwww/ssl.crt/ , /etc/httpd/conf/nonwww/ssl.key, /etc/httpd/conf/nonwww/ca-bundle

Then open ssl.conf file we did above, copy the existing block <VirtualHost *:443> …..</VirtualHost> to bottom, then change the line “ServerName www.youdomain.com:443” to “ServerName youdomain.com:443”

Find the three lines of cert file, key file, and bundle file , change them into the new path:

# Server Certificate:

SSLCertificateFile /etc/httpd/conf/nonwww/ssl.crt/melbournecityit.com.au.crt

# Server Private Key:

SSLCertificateKeyFile /etc/httpd/conf/nonwww/ssl.key/melbournecityit.com.au.key

# Server Certificate Chain (CA bundle):

SSLCertificateChainFile /etc/httpd/conf/nonwww/ca-bundle/melbournecityit.com.au.crt

 

......
<VirtualHost *:443>

DocumentRoot "/var/www/html"

#Below need to match the CN of your certificate
ServerName youdomain.com:443

ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn

# SSL Engine Switch:
SSLEngine on

# SSL Protocol support:
SSLProtocol all -SSLv2 -SSLv3

SSLCipherSuite HIGH:3DES:!aNULL:!MD5:!SEED:!IDEA

# Server Certificate:

SSLCertificateFile /etc/httpd/conf/nonwww/ssl.crt/melbournecityit.com.au.crt

# Server Private Key:
SSLCertificateKeyFile /etc/httpd/conf/nonwww/ssl.key/melbournecityit.com.au.key

# Server Certificate Chain (CA bundle):
SSLCertificateChainFile /etc/httpd/conf/nonwww/ca-bundle/melbournecityit.com.au.crt

.....................

</VirtualHost>

Now you can restart the apache: sudo service httpd restart.

Clear the browser cache, type example.com and see if it work.