All Products
Search
Document Center

Certificate Management Service:Install a single-domain or multi-domain certificate

Last Updated:Dec 02, 2024

This topic describes how to install a single-domain or multi-domain SSL certificate on an Apache server, including downloading and uploading a certificate file, configuring related parameters on the Apache server, and verifying the installation result. The parameters include those related to the certificate file, certificate chain, and certificate key. After the certificate is installed, you can access the Apache server over HTTPS, which ensures the security of data transmission.

Important

This topic provides an example on how to install a certificate on an Apache 2.4.7 server that runs a CentOS operating system. The installation process may vary based on the version of the operating system or web server. If you have questions, contact your account manager.

Prerequisites

  • A certificate is issued by using the Certificate Management Service console. For more information, see Purchase SSL certificates and Apply for a certificate.

  • Domain Name System (DNS) resolution is complete on the domain name that is bound to the certificate. The domain name is resolved to an IP address. You can use the DNS verification tool to check whether the DNS record of the domain name takes effect. For more information, see Verify the DNS record of your domain name.

  • The mod_ssl.so module is installed on your Apache server. This module is used to enable SSL encryption.

    If the module is not installed, you can run the yum install -y mod_ssl command to install the module. After you run the command, you can run the httpd -M | grep 'ssl' command to check whether the mod_ssl.so module is successfully installed on your Apache server. The following command output shows that the module is successfully installed.

    image..png

Step 1: Download the certificate

  1. Log on to the Certificate Management Service console.

  2. In the left-side navigation pane, choose Manage Certificates > SSL Certificate Management.

  3. On the SSL Certificate Management page, find the certificate that you want to manage, click More in the Actions column. On the page that appears, click the Download tab.

  4. Find Apache in the Server Type column and click Download in the Actions column.

    image..png

  5. Decompress the downloaded certificate package.

    The following table describes the files that you can extract from the package. The files vary based on the certificate signing request (CSR) generation method that you use when you submit the certificate application.in

    Value of the CSR Generation parameter

    File extracted from the certificate package

    Automatic

    • Certificate file in the CRT format: By default, the certificate file is named in the Domain name bound to the certificate_public format. The CRT certificate file is encoded in Base64.

    • Certificate chain file in the CRT format: By default, the certificate chain file is named in the Domain name bound to the certificate_chain format.

    • Private key file in the KEY format: By default, the private key file is named in the Domain name bound to the certificate format.

    Manual

    • If you specify a CSR that is created in the Certificate Management Service console, the certificate file that is extracted from the downloaded certificate package is the same as the certificate file that is obtained in scenarios when you set the CSR Generation parameter to Automatic.

    • If you specify a CSR that is not created in the Certificate Management Service console, only the PEM certificate file can be extracted from the downloaded certificate package. The password file or private key file cannot be extracted. You can use the certificate toolkit to convert your certificate file, password file, or private key file to the required format. For more information about how to convert certificate formats, see Convert the format of a certificate.

Step 2: Install the certificate on the Apache server

  1. Run the following command to create a directory named cert in the installation directory of Apache:

    sudo mkdir /etc/httpd/cert
    Note

    /etc/httpd/ is the default installation directory of Apache that is installed by using yum. If you have changed the directory or installed Apache by using other methods, specify the actual directory.

  2. Upload the certificate file and private key file to the /etc/httpd/cert directory of the Apache server.

    Note

    You can upload the file by using the file upload feature of a remote logon tool, such as PuTTY, Xshell, and WinSCP. For more information about how to upload a file to an Alibaba Cloud Elastic Compute Service (ECS) instance, see Upload files to or download files from a Windows instance or Upload a file to a Linux instance.

  3. Check whether LoadModule ssl_module modules/mod_ssl.so and Include conf.modules.d/*.conf parameter are commented. If yes, remove the comments. LoadModule ssl_module modules/mod_ssl.so is used to load the mod_ssl.so module and enable SSL encryption. Include conf.modules.d/*.conf is used to load the SSL configuration directory.

    The configuration files that contain the parameters vary based on the operating system and the installation method of Apache. The following list describes the configuration files that can contain the parameters:

    • conf.modules.d/00-ssl.conf: In this topic, the LoadModule ssl_module modules/mod_ssl.so parameter is stored in the /etc/httpd/conf.modules.d/00-ssl.conf configuration file.

    • httpd.conf: In this topic, the Include conf.modules.d/*.conf parameter is stored in the /etc/httpd/httpd.conf configuration file.

    • http-ssl.conf

    Important

    If you cannot find the preceding parameters, check whether the mod_ssl.so module is installed on the Apache server. If the module is not installed, you can run the yum install -y mod_ssl command to install the module. After you run the command, you can run the httpd -M | grep 'ssl' command to check whether the mod_ssl.so module is successfully installed on the Apache server.

  4. Open the ssl.conf configuration file and modify the certificate-related settings.

    1. Run the following command to open the ssl.conf configuration file:

      sudo vim /etc/httpd/conf.d/ssl.conf
      Important

      The name of the configuration file and the directory in which the configuration file is stored vary based on your operating system. If you cannot find the ssl.conf file, check whether the conf/extra/http-ssl.conf configuration file exists in the installation directory of Apache.

    2. Find the following parameters in the ssl.conf configuration file and reconfigure the parameters based on the following comments:

      <VirtualHost *:443> 
       ServerName example.com # Specify the domain name that you add to the certificate.  
       SSLCertificateFile cert/domain_name_public.crt # Replace domain_name_public.crt with the name of your certificate file. 
       SSLCertificateKeyFile cert/domain_name.key # Replace domain_name.key with the name of your private key file. 
       SSLCertificateChainFile cert/domain_name_chain.crt # Replace domain_name_chain.crt with the name of your certificate chain file. 
       
       # Specify the Transport Layer Security (TLS) protocols and custom cipher suites that you want to use. The following sample code is only for reference.
       # A later TLS version offers higher security but lower compatibility with browsers. 
       #SSLProtocol all -SSLv2 -SSLv3 # Add supported SSL protocols and remove the protocols that are not secure. 
       #SSLCipherSuite HIGH:!RC4:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!EXP:+MEDIUM # Modify the cipher suite. 
      </VirtualHost>
      
      # If your certificate contains multiple domain names, copy the VirtualHost parameter, and set the ServerName parameter to a different domain name.  
      <VirtualHost *:443> 
       ServerName example2.com# Specify a different domain name that you add to the certificate.  
       SSLCertificateFile cert/domain_name2_public.crt # Replace domain_name2 with the different domain name. 
       SSLCertificateKeyFile cert/domain_name2.key # Replace domain_name2 with the different domain name. 
       SSLCertificateChainFile cert/domain_name2_chain.crt # Replace domain_name2 with the different domain name. 
       
       SSLEngine on 
       SSLHonorCipherOrder on
       # Specify the TLS protocols and custom cipher suites that you want to use. The following sample code is only for reference.
       # A later TLS version offers higher security but lower compatibility with browsers. 
       #SSLProtocol all -SSLv2 -SSLv3 # Add supported SSL protocols and remove the protocols that are not secure. 
       #SSLCipherSuite HIGH:!RC4:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!EXP:+MEDIUM # Modify the cipher suite. 
      </VirtualHost>
      Important

      Check whether your browser version supports server name indication (SNI). If your browser version does not support SNI, the configuration of a multi-domain certificate does not take effect.

  5. Optional. Add the following redirection code to the /etc/httpd/conf/httpd.conf configuration file to configure automatic redirection of HTTP requests to HTTPS requests:

    RewriteEngine on
    RewriteCond %{SERVER_PORT} !^443$
    RewriteRule ^(.*)$ https://%{SERVER_NAME}$1 [L,R]
  6. Restart your Apache server to make the SSL configuration take effect:

    sudo systemctl restart httpd

Step 3: Check whether the certificate is installed

After you install a certificate, you can access the domain name that is bound to the certificate to verify whether the certificate is installed.

https://yourdomain   # Replace yourdomain with the domain name that is bound to your certificate.

If a lock icon appears in the address bar, the certificate is installed.

image..png

References