Installing Security Certificates on Apache httpd

Following on from our initial tutorial where we demonstrated how to use OpenSSL to make a private/public key pair and create a security certificate in this feature we move on to a more practical example.

While waning in popularity recently largely due to the emergence of Nginx, the httpd server developed by the Apache Software Foundation still runs just about 40% of all available websites. This robust, fully featured, open source and commercial-grade web server was one of the first to market and it is fairly easy to configure.

Given its popularity, any budding system administrator or web developer will need to understand how to configure and secure it. In this tutorial you will learn how to use it to process traffic using the HTTPS protocol as opposed to the standard HTTP.

Before we begin you will need to have previously generated a private certificate or have obtained one from a Certificate Authority also known as a CA. Once the certificate is in hand copy it to a location on the server where the user account and process that runs httpd will have read/write permissions. Also ensure that the mod_ssl module has been installed.

As httpd is entirely managed by making adjustments to the text based configuration files all that is needed is a simple text editor like vi. The only additional thing to remember is that the server will need to be restarted for the configuration changes to take effect. Depending on your distribution (we are assuming that your server runs on Linux) the files required maybe in any one of the following locations:

  1. /etc/httpd.conf
  2. /etc/httpd/
  3. /etc/httpd/conf/
  4. /etc/httpd/conf.d/
  5. /etc/apache2
  6. /etc/apache2/conf.d/
  7. /etc/apache2/sites-available/
  8. /etc/apache2/sites-enabled/
  9. /etc/apache2/mods-available/
  10. /etc/apache2/mods-enabled/

Our first edit will be made to the master or active httpd.conf file that controls the server. We will need adjust the default bind port and change it from 80 to 443. Search the file for the Listen directive and adjust it to the following.

Listen 443

There may also be a ports.conf as well as files in the sites-enabled/ and sites-available/ that need to adjusted. These files if present will control the bind address for any defined virtual servers. Should you wish to use HTTPS on these virtual server change these as well.

Configuring TLS/SSL on httpd

Add the below lines to the httpd.conf main configuration file or to the ssl configuration file in conf.d. Replace <cert file> and <key file> with the full path to certificate and key files

SSLEngine on
SSLCertificateFile <cert file>
SSLCertificateKeyFile <key file>
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

Restart the httpd processes.

apachectl restart

or if on a Red Hat based distribution execute

service httpd restart

or for systemd

systemctl restart httpd

Check the system log in /var/log/messages and the httpd logs in the /var/log/httpd/ directory for errors. Fix any errors detected and ensure that server is started.

Note, that if a pass-phrase is required to decode the certificate then an additional directive will be needed. When the private key is encrypted with a password for example when it is passed through a cipher algorithm such as des3 during the generation process then a passphrase will be required by httpd to utilize the key.

In these cases during startup httpd will request the passphase via the method defined by the SSLPassPhraseDialog directive. The following will cause the httpd process to trigger a script to enter the pass-phrase.

#builtin directive comes with mod_ssl and reads the passphrase from the user via standard input.
SSLPassPhraseDialog builtin

#exec calls the specified program/shell script to provide the passphrase
SSLPassPhraseDialog exec:/bin/pass-phrase-custom-script.sh

That's it! All done. Your site will now be available at https://<your address here>. If you have any suggests or found any errors let us know by dropping a comment below.