For this example we’ll install an SSL certificate for acme.com. The certificate authority is Network Solutions. The procedure may be different for other certificate authorities especially in how intermediate certificates are setup.
- Install mod_ssl if needed
1yum install mod_ssl
- Copy SSL certificate to the server – The certificate should be named after the domain name and placed in the /etc/pki/tls/certs folder. For our example the cert will be:
- Copy the intermediate CA bundle to the server – The bundle should be placed in /etc/pki/tls/certs/ and named after the certificate authority. For example, GoDaddy would be “gd_bundle.crt” and Network Solutions would be “ns_bundle.crt”. Sometimes the certificate authority will provide the bundle file. Other times they will just provide a set of separate root and intermediate CA certificates. In this situation, you’ll need to create the bundle file yourself.
The bundle is a text file with a series of certificates. The first certificate must be the root, followed by each intermediate certificate in the order that they were used to sign. So the certificates should form a chain starting at the root and leading to the intermediate that directly signs the domains SSL certificate.
You can determine what certificate signed another certificate with a command like this:1openssl x509 -noout -text -in acme.com.crt | grep "Issuer:"
which returns something like:1CA Issuers - URI:http://www.netsolssl.com/NetworkSolutions_CA.crt
So for the case of our acme.com certificate from Network Solutions we received the following files:1234acme.com.crtAddTrustExternalCARoot.crtNetworkSolutions_CA.crtUTNAddTrustServer_CA.crt
Using the above openssl command we can see the signer of each file is:1234567acme.com.crt - Issuer: C=US, O=Network Solutions L.L.C., CN=Network Solutions Certificate AuthorityAddTrustExternalCARoot.crt - Issuer: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA RootNetworkSolutions_CA.crt - Issuer: C=US, ST=UT, L=Salt Lake City, O=The USERTRUST Network, OU=http://www.usertrust.com, CN=UTN-USERFirst-HardwareUTNAddTrustServer_CA.crt - Issuer: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root
Look closely and you’ll see that acme.com.crt is signed by NetworkSolutions_CA.crt which is signed by UTNAddTrustServer_CA.crt which is signed by AddTrustExternalCARoot.crt.
Now we can build the bundle file like this:123cat AddTrustExternalCARoot.crt >> ns_bundle.crtcat UTNAddTrustServer_CA.crt >> ns_bundle.crtcat NetworkSolutions_CA.crt >> ns_bundle.crt
- Remove default Apache virtual host – By default mod_ssl sets up a virtual host that we do not need. Edit /etc/httpd/conf.d/ssl.conf and remove the virtual host definition from “<VirtualHost _default_:443>” to “</VirtualHost>”.
- Add Apache configuration – The exact layout of your Apache configuration will depend on the how your server has been setup. If you’re following the Reliable Penguin best practices then you can add the following block to /etc/httpd/conf.d/vhosts.conf:
1234567891011121314151617<VirtualHost *:443>DocumentRoot /var/www/vhosts/acme.com/httpdocsServerName acme.comServerAlias www.acme.comErrorLog logs/acme.com-ssl-error_logCustomLog logs/acme.com-ssl-access_log common<Directory /var/www/vhosts/acme.com/httpdocs>AllowOverride All</Directory>SSLEngine onSSLProtocol -ALL +SSLv3 +TLSv1SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXPORTSSLCertificateFile /etc/pki/tls/certs/acme.com.crtSSLCertificateKeyFile /etc/pki/tls/private/acme.com.keySSLCACertificateFile /etc/pki/tls/certs/ns_bundle.crt</VirtualHost>
- Restart Apache
1/sbin/service httpd restart
- Test with web browser – Point your browser to https://acme.com and verify that the site loads with no warnings or errors.
- On restarting Apache if you get a message like this “[warn] _default_ VirtualHost overlap on port 443, the first has precedence” then you’ve not removed the default virtual host created by mod_ssl.
- You may need to adjust the iptables configuration to allow traffic to TCP port 443.