Install a X509 SSL certificate on Apache (Linux, Debian, Unbuntu, windows wamp, Mac OS X, ...)
If you are using an Apache version superior or equal to 2.4.8, refer directly to its documentation.You received your certificate by email with one or several intermediate certificates and a root certificate. Keep this email within reach.
1- Retrieve your certificate(s) on your server
Go back where the private key has been generated, for example:cd /etc/httpd/conf ou cd /etc/apache/conf ou cd /etc/apache2/In the delivery email you'll find several links. Click on them and download the associated files:
(from your certificate's status page, click on "See the certificate" or "See the last certificate")
- A: your server certificate (.cer or .crt file)
- B: the certification chain (.txt file)
2- Set up Apache
To install a cert on Apache, you'll have to define 3 variables in the configuration file of your server:- SSLCertificateKeyFile path to the private-key.key file used for the initial generation of the CSR
- SSLCertificateFile path to the certificate.cer
- SSLCertificateChainFile (or SSLCACertificateFile) path to the chain.txt. file. This file contains the certificate(s) forming the certification chain of your certificate (it can be updated anytime, so after each renewal or reissuance, reinstall the latest certification chain).
If you are using Apache 1.3 with mod_ssl or Apache 2 and similar others (Mac OS X, WAMP, EasyPHP)
Find the setup file of your apache. It is often:/etc/httpd/conf/httpd.confyou can also find the SSL setup in an other file. For example:/etc/httpd/conf/ssl/default-vhost.conf /etc/httpd/conf/ssl.conf
Or in a Windows environment (EasyPHP, Wamp, ...) :
C:/Program Files/Apache Software Foundation/Apache X.X/conf/extra/httpd-ssl.conf C:/Program Files/Apache Software Foundation/EasyPHP/Nota: Your Apache Set up might raises problems if:
the path includes special characters such as : spaces, bracket (), accents éàèêîï, ... the path is too long ( > 200 characters) the private key, certificate or certification chain files can't be read by the user/session that runs the Apache/httpd server.
If you only have one certificate on this machine, spot the section beginning by:<VirtualHost _default_:443>and edit the following instructions to make them point at your files:# your server certificate (A) SSLCertificateFile /etc/httpd/conf/cert-0000000000-1234.cer # your private key (generated previously) SSLCertificateKeyFile /etc/httpd/conf/www.virtualhost.com.key # configuration du SSL SSLCipherSuite !EDH:!RC4:!ADH:!DSS:HIGH:+AES128:+AES256-SHA256:+AES128-SHA256:+SHA:!3DES:!NULL:!aNULL:!eNULL SSLCompression off #Apache 2.4.3+ SSLProtocol all -SSLv2 -SSLv3 SSLHonorCipherOrder on # apache 2.1+Warning: SSLHonorCipherOrder is not available on every version of Apache, see our documentation.
And for your certification chain (B), add:SSLCertificateChainFile /etc/httpd/conf/chain-0000000000-1234.txtFor very old versions of Apache, see SSLCACertificateFile
Disable SSLv2 and SSLv3 on your Apache server
In your Apache configuration, for example:- General configuration of the server: /etc/apache2/conf/httpd.conf
- SSL Module / SSL configuration : /etc/apache2/conf/sites-enable/ssl.conf
- Your site configuration : <VirtualHost *:443>
Retrieve the parameter SSLProtocol to disable SSLv2 and SSLv3, for example:
<VirtualHost *:443> ServerName www.mysite.com DocumentRoot /var/www/www.mysite.com SSLEngine on SSLProtocol all -SSLv2 -SSLv3 SSLCertificateFile chemin/certificate-xxxx.cer SSLCertificateKeyFile chemin/privatekey-xxxw.key SSLCertificateChainFile chemin/chain-xxx.txt </Virtual Host>
What are the risks linked to obsolete protocols?
N.B.: In this configuration, we also recommend the following configuration for the protocols/ key excahngeand cipherment algorithms:
SSLCipherSuite !EDH:!RC4:!ADH:!DSS:HIGH:+AES128:+AES256-SHA256:+AES128-SHA256:+SHA:!3DES:!NULL:!aNULL:!eNULL
TOMCAT under apache APR
<Connector port="443" maxHttpHeaderSize="8192" ... SSLEnabled="true" SSLCertificateFile="${SERVICE_HOME}/conf/certificate.cer" SSLCertificateKeyFile="${SERVICE_HOME}/conf/privatekey.key" SSLCertificateChainFile="${SERVICE_HOME}/conf/chain-certificats.txt" ...
3- Restart Apache and run a test
Once setted up, restart the Apache server.httpd restart service or /etc/init.d/apache restartVerify the log (for any syntax error) and check the access of your website's secured pages with IE 6 and Firefox.
N.B.: if the certificate does not match the private key, Apache won't be able to restart and the HTTP service will then be out-of-order. How to make sure your certificate matches the key?
On windows platforms (Easy Php, WAMP, ...)
- You must see an administration/management menu in the task bar of your Apache server to start and stop it.
- Make sure the HTTPS port (443) is open in the Firewall rules.
- If an error occurs the server might not start. You'll then need to consult the error logs: the error messages can also appear in the Widows "Events Logs".
Security recommandations
Activate OCSP Stappling
We recommand to activate OCSP Stappling to give your users the guarantee of the non-revocation of your certificate more efficiently than with the simple mecanisms provided by browsers.
Activate HSTS support
To protect your users from Man in the Middle attacks and to guarantee your site security, we advise the activation of HSTS.
Generate stron dh groups
We recommand to generate unique dh groups on your machine in order to enhance its security level. To do so, execute the following command and place its result in a file available on your web server (SSL2015 file for example).
openssl dhparam -out dhparams.pem 2048
If you use OpenSSL 1.0.2+
Add the following line to your configuration:
SSLOpenSSLConfCmd DHParameters "/etc/apache2/SSL2015/dhparams.pem"
If you use an older version of OpenSSL
Edit your certificate file (pem-xxx-yyy.pem) and add at the end of it the content of the dhparams.pem file you just generated.Meticulous adjustment of the encypherment level
In a standard installation under linux, the advanced SSL configuration file is located/etc/apache2/mods-enabled/ssl.conf
Choose a strong elliptical curve for ECDH (openssl 1.0.2+)
We recommend that you choose a strong elliptical curve for the ECDH key exchange:SSLOpenSSLConfCmd ECDHParameters secp384r1
4 - Check the installation of your certificate using CO-PiBot:
On your certificate status page, in your customer area at TBS INTERNET, you will find a "Test the installation" button to test the correct installation of your of your certificate.
Apache and SNI (TLS Server Name Indication)
It is used to install several SSL certificates on a single server using a unique IP address. Almost all browsers are compatible with SNI (consult the list).- Make sure the SSL modul install on your Apache server can handle SNI (apache/mod_ssl)
- In the SSL configuration, forbid the use of version 2 of SSL protocol: SSLProtocol all -SSLv2 -SSLv3
- For each VirtualHost indicate the private key, the certificate and the certification chain to be used:
<NameVirtualHost *:443> <VirtualHost *:443> ServerName www.monsite.fr DocumentRoot /var/www/www.monsite.fr ... SSLEngine on SSLCertificateFile chemin/certificat-xxxx.pem SSLCertificateKeyFile chemin/clefprivee-xxxx.key </Virtual Host> <VirtualHost *:443> ServerName www.mywebsite.com DocumentRoot /var/www/mywebsite.com ... SSLEngine on SSLProtocol all -SSLv2 -SSLv3 SSLCertificateFile chemin/certificat-yyyy.pem SSLCertificateKeyFile chemin/clefprivee-yyyy.key </Virtual Host> ...
External links about SNI
- Is it possible to install several SSL certificates on the same machine? TLS SNI?
- Is it possible to use virtual hosting based on hostname to differentiate multiple virtual hosts?
- Apache + SNI: having several SSL certificates on a singla IP address
- Note: For servers that do not support SNI.
Solution: order a UCC certificate (Multi-SANs) or Wildcard.
Useful links
Internal documentation
- Apache under OS X
- ApacheSSL for NEXEN
- import a certificate on OVH
- Install certificates in RSA/ECC Dual mode on Apache
- Generate a CSR for Apache
- How to make sure your certificate matches the private key?
- All you need to know about 128-bit
- Convert a #PKCS12 (PFX) into a PEM (Mircosoft, Firewall, ... to Apache)
- Create a #PKCS12 (or PFX) from OpenSsl files (PEM : .cer, .p7b, .key)
- Move or copy an Apache certificate to a Tomcat
- Move or copy an Tomcat certificate to a Apache
- Move or copy a IIS certificate (5/6 and 7) to Apache
- Move or copy an Apache certificate to Microsoft IIS (5/6 and 7) / ISA