Install an SSL certificate on an Apache server - Certificate Management Service

This topic describes how to install a single-domain, multi-domain, or wildcard certificate on an Apache server. After the certificate is installed, you can access the Apache server over HTTPS, which ensures the security of data transmission.

Important

This topic provides an example on how to install a certificate on an Apache 2.4.7 server that runs a CentOS operating system. The installation process may vary based on the version of the operating system or web server. If you have questions, contact your account manager.

Prerequisites

A certificate is issued by using the Certificate Management Service console. For more information, see Purchase SSL certificates and Apply for a certificate.
Domain Name System (DNS) resolution is complete on the domain name that is bound to the certificate. The domain name is correctly resolved to an IP address. You can use the DNS verification tool to check whether the DNS record of the domain name takes effect. To use the tool, log on to the Certificate Management Service console, and choose Common Certificate Tools > Verify DNS Settings in the left-side navigation pane. For more information, see Verify the DNS record of your domain name.
Port 443 is enabled on your web server. Port 443 is the standard port used for HTTPS communication.
- If you use an Alibaba Cloud Elastic Compute Service (ECS) instance, make sure that an inbound security group rule is configured to allow TCP access on port 443. For more information, see Add a security group rule.
- If you use a third-party cloud server or an on-premises server, make sure that port 443 is enabled for a firewall or security group to allow TCP access.
If you want to deploy the website on which your certificate is installed to a server located in the Chinese mainland, you must complete an Internet Content Provider (ICP) filing for the domain name bound to the certificate as required by the Ministry of Industry and Information Technology (MIIT). Otherwise, the website cannot be accessed as expected. For more information, see What is an ICP filing?
The mod_ssl.so module is installed on your Apache server. The module is used to enable SSL encryption.
If the module is not installed, you can run the sudo yum install -y mod_ssl command to install the module. After you run the command, you can run the httpd -M | grep 'ssl' command to check whether the mod_ssl.so module is successfully installed on your Apache server. The following command output shows that the module is successfully installed.

Step 1: Download the certificate

Log on to the Certificate Management Service console.
In the left-side navigation pane, choose Certificate Management > SSL Certificate Management.
On the SSL Certificate Management page, find the certificate that you want to manage, click More in the Actions column. On the page that appears, click the Download tab.
Download the certificate package of the Apache server.

Decompress the downloaded certificate package.

The following table describes the files that you can extract from the package. The files vary based on the certificate signing request (CSR) generation method that you use when you submit the certificate application.

Value of the CSR Generation parameter	File extracted from the certificate package
Automatic	Certificate file in the CRT format: By default, the certificate file is named in the Domain name bound to the certificate_public format. The CRT certificate file is encoded in Base64. Certificate chain file in the CRT format: By default, the certificate chain file is named in the Domain name bound to the certificate_chain format. Private key file in the KEY format: By default, the private key file is named in the Domain name bound to the certificate format.
Manual	If you specify a CSR that is created in the Certificate Management Service console, the certificate file that is extracted from the downloaded certificate package is the same as the certificate file that is obtained in scenarios when you set the CSR Generation parameter to Automatic. If you specify a CSR that is not created in the Certificate Management Service console, only the PEM certificate file can be extracted from the downloaded certificate package. The password file or private key file cannot be extracted. You can use the certificate toolkit to convert your certificate file, password file, or private key file to the required format. For more information about how to convert certificate formats, see Convert the format of a certificate.

Step 2: Install the certificate on the Apache server

Run the following command to create a directory in the installation directory of the Apache server:
```
# The cert directory is used only as an example. 
sudo mkdir /etc/httpd/cert
```
Note
/etc/httpd/ is the default installation directory of the Apache server that is installed by using yum. If you changed the directory or installed the Apache server by using other methods, specify the actual directory.
Upload the certificate file and private key file to the created directory of the Apache server.
Note
You can upload the file by using the file upload feature of a remote logon tool, such as PuTTY, Xshell, and WinSCP. For more information about how to upload a file to an Alibaba Cloud Elastic Compute Service (ECS) instance, see Use Remote Desktop Connection or Windows App to transfer files to a Windows instance or Upload a file to a Linux instance.
Modify the related configuration files to ensure that SSL encryption can be enabled for the Apache server.
- Find the /etc/httpd/conf.modules.d/00-ssl.conf file and modify the LoadModule ssl_module modules/mod_ssl.so parameter. If the parameter is commented by using the comment delimiter (#, remove the comment delimiter, and then save the file.
- Find the /etc/httpd/conf/httpd.conf file and modify the Include conf.modules.d/*.conf parameter. If the parameter is commented by using the comment delimiter (#), remove the comment delimiter, and then save the file.
The configuration files that contain the parameters vary based on the operating system and the installation method of the Apache server. You can run the grep command in a Linux operating system to find all configuration files that contain the parameters.
```
# Find all configuration files that contain the LoadModule ssl_module parameter. 
sudo grep -r "LoadModule ssl_module" /etc/httpd/
```
```
# Find all configuration files that contain the Include conf.modules.d parameter. 
sudo grep -r "Include conf.modules.d" /etc/httpd/
```
Important
If you cannot find the parameters, check whether the mod_ssl.so module is installed on your Apache server. If the module is not installed, you can run the sudo yum install -y mod_ssl command to install the module. After you run the command, you can run the httpd -M | grep 'ssl' command to check whether the mod_ssl.so module is successfully installed on the Apache server.

Modify certificate-related settings.

Run the following command to open the ssl.conf file:
```
sudo vim /etc/httpd/conf.d/ssl.conf
```
Important
The name of the configuration file and the directory in which the configuration file is stored vary based on your operating system. If you cannot find the ssl.conf file, check whether the conf/extra/http-ssl.conf file exists in the installation directory of your Apache server.

Find the following parameters in the ssl.conf file and reconfigure the parameters based on the following comments:

Install a single-domain or multi-domain certificate

<VirtualHost *:443> 
 ServerName example.com # Specify the domain name that you add to the certificate.  
 SSLCertificateFile cert/domain_name_public.crt # Replace domain_name_public.crt with the name of your certificate file. 
 SSLCertificateKeyFile cert/domain_name.key # Replace domain_name.key with the name of your private key file. 
 SSLCertificateChainFile cert/domain_name_chain.crt # Replace domain_name_chain.crt with the name of your certificate chain file. 
 
 # Specify the Transport Layer Security (TLS) protocols and custom cipher suites that you want to use. The following sample code is only for reference.
 # A later TLS version offers higher security but lower compatibility with browsers. 
 #SSLProtocol all -SSLv2 -SSLv3 # Add supported SSL protocols and remove the protocols that are not secure. 
 #SSLCipherSuite HIGH:!RC4:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!EXP:+MEDIUM # Modify cipher suites. 
</VirtualHost>

# If your certificate contains multiple domain names, copy the VirtualHost parameter, and set the ServerName parameter to a different domain name.  
<VirtualHost *:443> 
 ServerName example2.com# Specify a different domain name that you add to the certificate.  
 SSLCertificateFile cert/domain_name2_public.crt # Replace domain_name2 with the different domain name. 
 SSLCertificateKeyFile cert/domain_name2.key # Replace domain_name2 with the different domain name. 
 SSLCertificateChainFile cert/domain_name2_chain.crt # Replace domain_name2 with the different domain name. 
 
 SSLEngine on 
 SSLHonorCipherOrder on
 # Specify the TLS protocols and custom cipher suites that you want to use. The following sample code is only for reference.
 # A later TLS version offers higher security but lower compatibility with browsers. 
 #SSLProtocol all -SSLv2 -SSLv3 # Add supported SSL protocols and remove the protocols that are not secure. 
 #SSLCipherSuite HIGH:!RC4:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!EXP:+MEDIUM # Modify cipher suites. 
</VirtualHost>

Install a wildcard certificate

<VirtualHost _default_:443>

# Specify the TLS protocols and custom cipher suites that you want to use. The following sample code is only for reference.
# A later TLS version offers higher security but lower compatibility with browsers.
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite HIGH:3DES:!aNULL:!MD5:!SEED:!IDEA

# Replace domain_name_public.crt with the name of your certificate file. 
SSLCertificateFile /etc/httpd/cert/domain_name_public.crt 

# Replace domain_name.key with the name of your private key file. 
SSLCertificateKeyFile /etc/httpd/cert/domain_name.key

# Replace domain_name_chain.crt with the name of your certificate chain file. 
SSLCertificateChainFile /etc/httpd/cert/domain_name_chain.crt

</VirtualHost>

Important

If you want to install a multi-domain certificate on an Apache server, check whether your browser version supports server name indication (SNI). If your browser version does not support SNI, the configuration of a multi-domain certificate does not take effect.

Optional. Add the following redirection code to the /etc/httpd/conf/httpd.conf file to configure automatic redirection of HTTP requests to HTTPS requests:
```
RewriteEngine on
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^(.*)$ https://%{SERVER_NAME}$1 [L,R]
```
Run the following command to restart your Apache server to make the configuration file take effect and ensure that SSL encryption is enabled:
```
sudo systemctl restart httpd 
```

Step 3: Check whether the certificate is installed

After you install a certificate, you can access the domain name that is bound to the certificate to verify whether the certificate is installed.

https://yourdomain   # Replace yourdomain with the domain name that is bound to your certificate.

If the icon appears in the address bar of your browser, the certificate is installed.
Starting in Google Chrome 117, the icon is changed to the icon. If the icon appears after you click the icon, the certificate is installed.

Certificate Management Service:Install an SSL certificate on an Apache server