Skip to main content

SSL certificates

To allow users to connect to your site over HTTPS you need to install mod\_ssl.

yum install mod_ssl

This will add the file /etc/httpd/conf.d/ssl.conf. If you're configuring separate vhosts per site (as suggested above), it's best to delete or comment out the contents of this file underneath this section.

  ##
  ## SSL Virtual Host Context
  ##

  <VirtualHost _default_:443>

  # General setup for the virtual host, inherited from global configuration
  #DocumentRoot "/var/www/html"
  #ServerName www.example.com:443

You then need to add the following section to your vhost configuration:

    SSLEngine on
    SSLProtocol all -SSLv2 -SSLv3 -TLSv1
    SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
    SSLCertificateFile /etc/pki/tls/certs/firstdomain.com.crt
    SSLCertificateKeyFile /etc/pki/tls/private/firstdomain.com.key
note

The recommended cipher suites and protocols are constantly changing. This site is useful to generate these:

If you have a signed (paid for) certificate, this needs to be added to the /etc/pki/tls/certs/firstdomain.com.crt file. Your certificate issuer should have provided you with a CA bundle. This needs to be added underneath your certificate in the same file.

Your private key will need to be added to the /etc/pki/tls/private/firstdomain.com.key file. This file should have its permissions changed to be 600.

chmod 600 /etc/pki/tls/private/firstdomain.com.key

So it can only be read and edited by the root user on your server.

You then need to test the configuration:

httpd -t

And then reload it:

service httpd reload

Fully featured examples of this and other Apache functionality can be found on the following page: