This topic describes how to install an SSL certificate on an Apache server, including downloading and uploading a certificate file, configuring related parameters on the Apache server, and verifying the installation result. The parameters include those related to the certificate file, certificate chain, and certificate key. After the certificate is installed, you can access the Apache server over HTTPS, which ensures the security of data transmission.
This topic provides an example on how to install a certificate on an Apache 2.4.7 server that runs a CentOS operating system. The installation process may vary based on the version of the operating system or web server. If you have questions, contact your account manager.
Prerequisites
A certificate is issued by using the Certificate Management Service console. For more information, see Purchase SSL certificates and Apply for a certificate.
Domain Name System (DNS) resolution is complete on the domain name that is bound to the certificate. The domain name is resolved to an IP address. You can use the DNS verification tool to check whether the DNS record of the domain name takes effect. For more information, see Verify the DNS record of your domain name.
The mod_ssl.so module is installed on your Apache server. This module is used to enable SSL encryption.
If the module is not installed, you can run the
yum install -y mod_ssl
command to install the module. After you run the command, you can run thehttpd -M | grep 'ssl'
command to check whether the mod_ssl.so module is successfully installed on your Apache server.The following command output shows that the module is successfully installed.
Step 1: Download the certificate
Log on to the Certificate Management Service console.
In the left-side navigation pane, choose .
On the SSL Certificate Management page, find the certificate that you want to manage and click Download in the Actions column.
Find Apache in the Server Type column and click Download in the Actions column.
Decompress the downloaded certificate package.
The following table describes the files that you can extract from the package. The files vary based on the certificate signing request (CSR) generation method that you use when you submit the certificate application.
Value of the CSR Generation parameter
File extracted from the certificate package
Automatic
Certificate file in the CRT format: By default, the certificate file is named in the Domain name bound to the certificate_public format. The CRT certificate file is encoded in Base64.
Certificate chain file in the CRT format: By default, the certificate chain file is named in the Domain name bound to the certificate_chain format.
Private key file in the KEY format: By default, the private key file is named in the Domain name bound to the certificate format.
Manual
If you specify a CSR that is created in the Certificate Management Service console, the certificate file that is extracted from the downloaded certificate package is the same as the certificate file that is obtained in scenarios when you set CSR Generation to Automatic.
If you specify a CSR that is not created in the Certificate Management Service console, only the PEM certificate file can be extracted from the downloaded certificate package. The password file or private key file cannot be extracted. You can use the certificate toolkit to convert your certificate file, password file, or private key file to the required format. For more information about how to convert certificate formats, see Convert the format of a certificate.
Step 2: Install the certificate on the Apache server
Run the following commands to create a directory named cert in the installation directory of Apache.
Run the following command to go to the installation directory of Apache:
cd /etc/httpd/ # Go to the default installation directory of Apache that is installed by using yum. If you have changed the directory or installed Apache by using other methods, specify the actual directory.
Run the following command to create a directory named cert:
mkdir cert # Create a directory named cert.
Upload the certificate file and password file to the certificate directory (/etc/httpd/cert) of the Apache server.
NoteYou can upload the file by using the file upload feature of a remote logon tool, such as PuTTY, Xshell, and WinSCP. For more information about how to upload a file to an Alibaba Cloud Elastic Compute Service (ECS) instance, see Upload files to or download files from a Windows instance or Upload a file to a Linux instance.
Modify the certificate-related settings in the httpd.conf and ssl.conf configuration files.
Find the
LoadModule ssl_module modules/mod_ssl.so
parameter that is used to load the mod_ssl.so module and enable SSL encryption, and find theInclude conf.modules.d/*.conf
parameter that is used to load the SSL configuration directory. Check whether comments that start with the number sign (#) are added to the parameters. If yes, remove the comments.ImportantThe configuration files that contain the parameters vary based on the operating system and the installation method of Apache. The following list describes the configuration files that contain the parameters:
conf.modules.d/00-ssl.conf: This file contains the
LoadModule ssl_module modules/mod_ssl.so
parameter.httpd.conf: This file contains the
Include conf.modules.d/*.conf
parameter.http-ssl.conf
If you cannot find the preceding parameters, check whether the mod_ssl.so module is installed on the Apache server. If the module is not installed, you can run the
yum install -y mod_ssl
command to install the module. After you run the command, you can run thehttpd -M | grep 'ssl'
command to check whether the mod_ssl.so module is successfully installed on the Apache server.Run the following command to open the ssl.conf configuration file:
vim /etc/httpd/conf.d/ssl.conf
ImportantThe name of the configuration file and the directory in which the configuration file is stored vary based on your operating system. If you cannot find the ssl.conf file, check whether the conf/extra/http-ssl.conf configuration file exists in the installation directory of Apache.
Find the following parameters in the ssl.conf configuration file and configure the parameters based on the following comments:
<VirtualHost *:443> ServerName example.com # Set ServerName to the domain name that you add to the certificate. SSLCertificateFile cert/domain_name_public.crt # Replace domain_name_public.crt with the name of your certificate file. SSLCertificateKeyFile cert/domain_name.key # Replace domain_name.key with the name of your private key file. SSLCertificateChainFile cert/domain_name_chain.crt # Replace domain_name_chain.crt with the name of your certificate chain file. If the name starts with a number sign (#), delete the number sign. # Specify the Transport Layer Security (TLS) protocols and custom cipher suites that you want to use. The following sample code is only for reference. # A later TLS version offers higher security but lower compatibility with browsers. #SSLProtocol all -SSLv2 -SSLv3 # Add supported SSL protocols and remove the protocols that are not secure. #SSLCipherSuite HIGH:!RC4:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!EXP:+MEDIUM # Modify the cipher suite. </VirtualHost> # If your certificate contains multiple domain names, copy the VirtualHost parameter, and set ServerName to a different domain name. <VirtualHost *:443> ServerName example2.com# Set ServerName to a different domain name that you add to the certificate. SSLCertificateFile cert/domain_name2_public.crt # Replace domain_name2 with the different domain name. SSLCertificateKeyFile cert/domain_name2.key # Replace domain_name2 with the different domain name. SSLCertificateChainFile cert/domain_name2_chain.crt # Replace domain_name2 with the different domain name. If the name starts with a number sign (#), delete the number sign. SSLEngine on SSLHonorCipherOrder on # Specify the TLS protocols and custom cipher suites that you want to use. The following sample code is only for reference. # A later TLS version offers higher security but lower compatibility with browsers. #SSLProtocol all -SSLv2 -SSLv3 # Add supported SSL protocols and remove the protocols that are not secure. #SSLCipherSuite HIGH:!RC4:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!EXP:+MEDIUM # Modify the cipher suite. </VirtualHost>
ImportantCheck whether your browser version supports server name indication (SNI). If your browser version does not support SNI, the configuration of a multi-domain certificate does not take effect.
Optional. Modify the httpd.conf configuration file to configure automatic redirection of HTTP requests to HTTPS requests.
Add the following redirection code to the httpd.conf configuration file:
RewriteEngine on RewriteCond %{SERVER_PORT} !^443$ RewriteRule ^(.*)$ https://%{SERVER_NAME}$1 [L,R]
Restart the Apache service to make the preceding configuration take effect.
Run the
apachectl -k stop
command to stop the Apache service.Run the
apachectl -k start
command to start the Apache service.
Step 3: Check whether the certificate is installed
After you install a certificate, you can access the domain name that is bound to the certificate to verify whether the certificate is installed.
https://yourdomain # Replace yourdomain with the domain name that is bound to your certificate.
If a lock icon appears in the address bar, the certificate is installed.