This topic describes how to install a single-domain or multi-domain SSL certificate on an Apache server, including downloading and uploading a certificate file, configuring related parameters on the Apache server, and verifying the installation result. The parameters include those related to the certificate file, certificate chain, and certificate key. After the certificate is installed, you can access the Apache server over HTTPS, which ensures the security of data transmission.
This topic provides an example on how to install a certificate on an Apache 2.4.7 server that runs a CentOS operating system. The installation process may vary based on the version of the operating system or web server. If you have questions, contact your account manager.
Prerequisites
A certificate is issued by using the Certificate Management Service console. For more information, see Purchase SSL certificates and Apply for a certificate.
Domain Name System (DNS) resolution is complete on the domain name that is bound to the certificate. The domain name is resolved to an IP address. You can use the DNS verification tool to check whether the DNS record of the domain name takes effect. For more information, see Verify the DNS record of your domain name.
The
mod_ssl.so
module is installed on your Apache server. This module is used to enable SSL encryption.If the module is not installed, you can run the
yum install -y mod_ssl
command to install the module. After you run the command, you can run thehttpd -M | grep 'ssl'
command to check whether the mod_ssl.so module is successfully installed on your Apache server. The following command output shows that the module is successfully installed.
Step 1: Download the certificate
Log on to the Certificate Management Service console.
In the left-side navigation pane, choose .
On the SSL Certificate Management page, find the certificate that you want to manage, click More in the Actions column. On the page that appears, click the Download tab.
Find Apache in the Server Type column and click Download in the Actions column.
Decompress the downloaded certificate package.
The following table describes the files that you can extract from the package. The files vary based on the certificate signing request (CSR) generation method that you use when you submit the certificate application.
Value of the CSR Generation parameter
File extracted from the certificate package
Automatic
Certificate file in the CRT format: By default, the certificate file is named in the Domain name bound to the certificate_public format. The CRT certificate file is encoded in Base64.
Certificate chain file in the CRT format: By default, the certificate chain file is named in the Domain name bound to the certificate_chain format.
Private key file in the KEY format: By default, the private key file is named in the Domain name bound to the certificate format.
Manual
If you specify a CSR that is created in the Certificate Management Service console, the certificate file that is extracted from the downloaded certificate package is the same as the certificate file that is obtained in scenarios when you set the CSR Generation parameter to Automatic.
If you specify a CSR that is not created in the Certificate Management Service console, only the PEM certificate file can be extracted from the downloaded certificate package. The password file or private key file cannot be extracted. You can use the certificate toolkit to convert your certificate file, password file, or private key file to the required format. For more information about how to convert certificate formats, see Convert the format of a certificate.
Step 2: Install the certificate on the Apache server
Run the following command to create a directory named cert in the installation directory of Apache:
sudo mkdir /etc/httpd/cert
Note/etc/httpd/
is the default installation directory of Apache that is installed by using yum. If you have changed the directory or installed Apache by using other methods, specify the actual directory.Upload the certificate file and private key file to the
/etc/httpd/cert
directory of the Apache server.NoteYou can upload the file by using the file upload feature of a remote logon tool, such as PuTTY, Xshell, and WinSCP. For more information about how to upload a file to an Alibaba Cloud Elastic Compute Service (ECS) instance, see Upload files to or download files from a Windows instance or Upload a file to a Linux instance.
Check whether
LoadModule ssl_module modules/mod_ssl.so
andInclude conf.modules.d/*.conf
parameter are commented. If yes, remove the comments. LoadModule ssl_module modules/mod_ssl.so is used to load the mod_ssl.so module and enable SSL encryption. Include conf.modules.d/*.conf is used to load the SSL configuration directory.The configuration files that contain the parameters vary based on the operating system and the installation method of Apache. The following list describes the configuration files that can contain the parameters:
conf.modules.d/00-ssl.conf: In this topic, the
LoadModule ssl_module modules/mod_ssl.so
parameter is stored in the/etc/httpd/conf.modules.d/00-ssl.conf
configuration file.httpd.conf: In this topic, the
Include conf.modules.d/*.conf
parameter is stored in the/etc/httpd/httpd.conf
configuration file.http-ssl.conf
ImportantIf you cannot find the preceding parameters, check whether the mod_ssl.so module is installed on the Apache server. If the module is not installed, you can run the
yum install -y mod_ssl
command to install the module. After you run the command, you can run thehttpd -M | grep 'ssl'
command to check whether the mod_ssl.so module is successfully installed on the Apache server.Open the ssl.conf configuration file and modify the certificate-related settings.
Run the following command to open the ssl.conf configuration file:
sudo vim /etc/httpd/conf.d/ssl.conf
ImportantThe name of the configuration file and the directory in which the configuration file is stored vary based on your operating system. If you cannot find the ssl.conf file, check whether the
conf/extra/http-ssl.conf
configuration file exists in the installation directory of Apache.Find the following parameters in the ssl.conf configuration file and reconfigure the parameters based on the following comments:
<VirtualHost *:443> ServerName example.com # Specify the domain name that you add to the certificate. SSLCertificateFile cert/domain_name_public.crt # Replace domain_name_public.crt with the name of your certificate file. SSLCertificateKeyFile cert/domain_name.key # Replace domain_name.key with the name of your private key file. SSLCertificateChainFile cert/domain_name_chain.crt # Replace domain_name_chain.crt with the name of your certificate chain file. # Specify the Transport Layer Security (TLS) protocols and custom cipher suites that you want to use. The following sample code is only for reference. # A later TLS version offers higher security but lower compatibility with browsers. #SSLProtocol all -SSLv2 -SSLv3 # Add supported SSL protocols and remove the protocols that are not secure. #SSLCipherSuite HIGH:!RC4:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!EXP:+MEDIUM # Modify the cipher suite. </VirtualHost> # If your certificate contains multiple domain names, copy the VirtualHost parameter, and set the ServerName parameter to a different domain name. <VirtualHost *:443> ServerName example2.com# Specify a different domain name that you add to the certificate. SSLCertificateFile cert/domain_name2_public.crt # Replace domain_name2 with the different domain name. SSLCertificateKeyFile cert/domain_name2.key # Replace domain_name2 with the different domain name. SSLCertificateChainFile cert/domain_name2_chain.crt # Replace domain_name2 with the different domain name. SSLEngine on SSLHonorCipherOrder on # Specify the TLS protocols and custom cipher suites that you want to use. The following sample code is only for reference. # A later TLS version offers higher security but lower compatibility with browsers. #SSLProtocol all -SSLv2 -SSLv3 # Add supported SSL protocols and remove the protocols that are not secure. #SSLCipherSuite HIGH:!RC4:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!EXP:+MEDIUM # Modify the cipher suite. </VirtualHost>
ImportantCheck whether your browser version supports server name indication (SNI). If your browser version does not support SNI, the configuration of a multi-domain certificate does not take effect.
Optional. Add the following redirection code to the
/etc/httpd/conf/httpd.conf
configuration file to configure automatic redirection of HTTP requests to HTTPS requests:RewriteEngine on RewriteCond %{SERVER_PORT} !^443$ RewriteRule ^(.*)$ https://%{SERVER_NAME}$1 [L,R]
Restart your Apache server to make the SSL configuration take effect:
sudo systemctl restart httpd
Step 3: Check whether the certificate is installed
After you install a certificate, you can access the domain name that is bound to the certificate to verify whether the certificate is installed.
https://yourdomain # Replace yourdomain with the domain name that is bound to your certificate.
If a lock icon appears in the address bar, the certificate is installed.