Make sure the mod_ssl security module is installed and enabled so the Apache web server can use the OpenSSL library and toolkit:
yum install mod_ssl openssl
Execute the following commands:
mkdir -p /etc/httpd/ssl/ mv /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/ssl.conf.bak cd /etc/httpd/ssl/
Generate SSL certificate signing request (CSR) files for your domains:
openssl genrsa -out domain1.key 2048 openssl req -new -key domain1.key -out domain1.csr openssl genrsa -out domain2.key 2048 openssl req -new -key domain2.key -out domain2.csr
and enter the following details for your certificates:
- Country Name
- State or Province Name
- Locality Name
- Organization Name
- Organizational Unit Name
- Email Address
When prompted for the Common Name (i.e. domain name), enter the FQDN (fully qualified domain name) for the website you are securing.
It is recommended to install commercial SSL certificates when used in a production environment. Or, generate and use self-signed SSL certificates when you are just developing or testing a website or application using the following commands:
openssl x509 -req -days 365 -in domain1.csr -signkey domain1.key -out domain1.crt openssl x509 -req -days 365 -in domain2.csr -signkey domain2.key -out domain2.crt
Edit the ‘ssl.conf’ Apache configuration file:
vi /etc/httpd/conf.d/ssl.conf
and add the following lines:
LoadModule ssl_module modules/mod_ssl.so
Listen 443
NameVirtualHost *:443
SSLPassPhraseDialog builtin
SSLSessionCacheTimeout 300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
SSLStrictSNIVHostCheck off
<VirtualHost *:443>
DocumentRoot /var/www/html/domain1
ServerName domain1.com
ServerAlias www.domain1.com
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/httpd/ssl/domain1.crt
SSLCertificateKeyFile /etc/httpd/ssl/domain1.key
#SSLCertificateChainFile /etc/httpd/ssl/ca.crt
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
<VirtualHost *:443>
DocumentRoot /var/www/html/domain2
ServerName domain2.com
ServerAlias www.domain2.com
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/httpd/ssl/domain2.crt
SSLCertificateKeyFile /etc/httpd/ssl/domain2.key
#SSLCertificateChainFile /etc/httpd/ssl/ca.crt
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
When using a commercial SSL certificate, it is likely the signing authority will include an intermediate CA certificate. In that case, create a new ‘/etc/httpd/ssl/ca.crt’ file and paste the contents of the Intermediate CA into it, then edit the the ‘ssl.conf’ configuration file and uncomment the following line:
SSLCertificateChainFile /etc/httpd/ssl/ca.crt
so the Apache web server can find your CA certificate.
Test the Apache configuration:
/etc/init.d/httpd configtest Syntax OK
Restart the Apache service for the changes to take effect:
service httpd restart
