Apache HTTP is still a market leader in a web server used by top million busiest sites.
You can see Nginx is picking up gradually so if you are into system/web/middleware administration; then you got to know both Apache & Nginx web servers.
However, in this article, I will cover only Apache Web Server.
Once SSL is implemented, the configured domain/IP will be accessible over HTTPS. Let’s get it started.
On high-level, we will do the following.
- Compile Apache HTTP 2.4.5 with SSL module
- Get SSL Certificate
- Configure Apache to support SSL
Install Apache with SSL from Source
To configure SSL, Apache HTTP must be compiled with mod_ssl. I’ll use CentOS 7 VM from Digital Ocean to demonstrate this.
- Login to Linux server with root and download the latest version of Apache
- Extract by gunzip command
gunzip -c httpd-2.4.25.tar.gz | tar xvf -
- You will have new folder “httpd-2.4.25”
- Go inside and execute the following configure command
./configure --enable-ssl –-enable-so
Note: If you are doing this is on a brand new server then you may experience issues related to APR, PCRE, OpenSSL and you may refer the troubleshooting guide.
Ensure you don’t get any error from above configure command and next you got to install with make commands.
make make install
As usual, ensure no errors from above commands. This concludes you have installed Apache web server with SSL support.
Getting SSL Certificate
There are multiple ways to generate and get the SSL cert signed by the certificate authority.
If you are looking to implement SSL in Intranet web server, then most of the organization has internal certificate issuer team, so you got to check with them.
But you still need to generate a CSR (Certificate Signing Request), and you can do it using OpenSSL.
However, if you are looking to secure Internet-facing URL then either you can buy a certificate from VeriSign, GoDaddy, Namecheap, etc. or get a FREE cert from Let’s Encrypt.
Let’s Encrypt is a Linux Foundation Collaboration Project who offer FREE SSL/TLS certificate. I will use Let’s Encrypt to get one certificate for my domain – Chandan.io
There are multiple ways to generate CSR, but easiest one I found is using “SSL For FREE” online tool.
Enter the URL which you want to secure
Verify the domain ownership by one of the listed method and download your domain certificate files.
You will get three files which we will use next to configure the Apache web server.
- key – this is your key file and shouldn’t be shared with anyone publicly
- Certificate – actual SSL certificate for your domain
- Ca_bundle – Signer root/intermediate certificate
Transfer the downloaded file to the Web Server. We will need them shortly.
Apache SSL Configuration
And a final step would be to configure Apache so it can serve the request over HTTPS.
- Login to the Apache web server
- Take a backup of httpd.conf file (default location /usr/local/apache2/conf/)
- Open the file with the vi editor and ensure mod_ssl module & httpd-ssl.conf exists and not commented
LoadModule ssl_module modules/mod_ssl.so Include conf/extra/httpd-ssl.conf
We will use httpd-ssl.conf file to configure the certificate details. There are following you need to ensure it exists the right parameters.
- SSLCertificateFile – Certificate CRT file path which you downloaded earlier
- SSLCertificateKeyFile – private.a key file path
- SSLCertificateChainFile – ca_bundle.crt file path
Tip: you may want to create a new folder called “ssl” and keep all the certificate related files in this.
- Take a backup if needed and use vi editor to modify the file.
SSLCertificateFile "/usr/local/apache2/conf/ssl/certificate.crt" SSLCertificateChainFile "/usr/local/apache2/conf/ssl/ca_bundle.crt" SSLCertificateKeyFile "/usr/local/apache2/conf/ssl/private.key"
Next, you need to configure the “ServerName” directive. Usually, it’s your domain/URL name
- Save the file and restart the Apache Web server
cd /usr/local/apache2/bin ./apachectl stop ./apachectl start
And finally, you got to ensure your domain is mapped to the newly configured web server IP. Once done, try to access your domain with https.
And as you can see, Chandan.io is accessible over https with the certificate I configured.
The above steps are essential for setting up SSL certificate, and you must tweak the SSL further to harden and secure which I explained here.
Before go-live, you may also want to test your web server SSL/TLS to ensure it’s not exposed to common security vulnerabilities.
I hope this gives you an idea how to implement SSL certificate on your Apache Web server, so URL is accessible over HTTPS.
If you are new to Apache web server, then I would recommend taking this online course.