Note: We have updated this blog to reflect additional changes you will need to make in order to ensure your site loads your SSL certificate correctly and is HTTPS secure. These changes are due to security changes being made in the browsers, especially Chrome.
As per Google Chromes security.googleblog, “Beginning in January 2017 (Chrome 56), we’ll mark HTTP pages that collect passwords or credit cards as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure.” They went even further with this change and now throw warnings encouraging users to leave your site if your HTTPS SSL certificate is invalid or cannot be verified. These changes not only affect what a user sees when they attempt to visit your site, but also your Google rankings as well. So we recommend you spend a few minutes and revisit this blog and make sure your SSL settings current and up to date.
I do not know how many times I have gone through the process of securing an Apache server. The process of creating SSL keys for HTTPS can be a little daunting and can be unforgiving if done wrong. Unfortunately, if you did do something wrong, you will not know until you are almost done trying to setup HTTPS. Therefore, I have put together this tutorial to help clarify and simplify the process of building your Keys and configuring a server for HTTPS.
Step 1: Get SSL Certificate
Uploaded your new SSL Cert to your web server.
Move the cert and ca-bundle files to:
> sudo cp custom.crt /etc/pki/tls/certs/ > sudo cp custom.ca-bundle /etc/pki/tls/certs/
Move your private key to:
> sudo cp custom.key /etc/pki/tls/private/
Make sure that the new private key and cert have the highest restrictive permissions.
The commands would be as follows:
> sudo chown root.root custom.key > sudo chmod 600 custom.key > sudo chown root.root custom.ca-bundle > sudo chmod 600 custom.ca-bundle > sudo chown root.root custom.crt > sudo chmod 600 custom.crt
Step 2: Enable SSL/TLS on the Server
Add SSL/TLS support by installing the Apache module mod_ssl:
> sudo yum install -y mod24_ssl
Next, you will need to restart Apache:
> sudo service httpd restart
Now we need to configure Apache to use our new SSL Cert. To do this, we need to open up the SSL configuration file on your web server.
> sudo vi /etc/httpd/conf.d/ssl.conf
Scroll down until you find the Certificate Authority (CA) section. Note: if the line is preceded by a “#” then the line is commented and not read at execution time. If this is the case remove the “#” when you make the changes below.
- Start by enter edit mode by typing: “i” on the keyboard.
- replace the following line “SSLCACertificateFile /etc/pki/tls/certs/localhost.crt” with:
> SSLCACertificateFile /etc/pki/tls/certs/custom.crt
- Next, replace the following line “SSLCertificateKeyFile /etc/pki/tls/private/localhost.key” with:
> SSLCertificateKeyFile /etc/pki/tls/private/custom.key
- Finally, replace the “SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt” with:
> SSLCACertificateFile /etc/pki/tls/certs/custom.ca-bundle
- Press the “esc” key to exit editing mode.
- Type “:x” to save your changes.
Restart Apache to enable HTTPS:
> sudo service httpd restart
Additional Resources
- Check out Apache.org.
- Check out these books:
We hope you found this information useful. To continue taking our “Domain Registration and Configuration” class click here to return to where you left off.
[sgmb id=”1″]