Top Nav

Install SSL Certificate – Apache / CentOS / RHEL

For this example we’ll install an SSL certificate for acme.com. The certificate authority is Network Solutions. The procedure may be different for other certificate authorities especially in how intermediate certificates are setup.

  1. Install mod_ssl if needed
  2. Copy SSL certificate to the server – The certificate should be named after the domain name and placed in the /etc/pki/tls/certs folder. For our example the cert will be:
  3. Copy the intermediate CA bundle to the server – The bundle should be placed in /etc/pki/tls/certs/ and named after the certificate authority. For example, GoDaddy would be “gd_bundle.crt” and Network Solutions would be “ns_bundle.crt”. Sometimes the certificate authority will provide the bundle file. Other times they will just provide a set of separate root and intermediate CA certificates. In this situation, you’ll need to create the bundle file yourself.

    The bundle is a text file with a series of certificates. The first certificate must be the root, followed by each intermediate certificate in the order that they were used to sign. So the certificates should form a chain starting at the root and leading to the intermediate that directly signs the domains SSL certificate.

    You can determine what certificate signed another certificate with a command like this:

    which returns something like:

    So for the case of our acme.com certificate from Network Solutions we received the following files:

    Using the above openssl command we can see the signer of each file is:

    Look closely and you’ll see that acme.com.crt is signed by NetworkSolutions_CA.crt which is signed by UTNAddTrustServer_CA.crt which is signed by AddTrustExternalCARoot.crt.

    Now we can build the bundle file like this:

  4. Remove default Apache virtual host – By default mod_ssl sets up a virtual host that we do not need. Edit /etc/httpd/conf.d/ssl.conf and remove the virtual host definition from “<VirtualHost _default_:443>” to “</VirtualHost>”.
  5. Add Apache configuration – The exact layout of your Apache configuration will depend on the how your server has been setup. If you’re following the Reliable Penguin best practices then you can add the following block to /etc/httpd/conf.d/vhosts.conf:

  6. Restart Apache

  7. Test with web browser – Point your browser to https://acme.com and verify that the site loads with no warnings or errors.

Troubleshooting

  • On restarting Apache if you get a message like this “[warn] _default_ VirtualHost overlap on port 443, the first has precedence” then you’ve not removed the default virtual host created by mod_ssl.
  • You may need to adjust the iptables configuration to allow traffic to TCP port 443.