ANS Documentation

Improve This Doc
  • Cloud
  • Domains and DNS management
  • Backup and High Availability
  • eCommerce Stacks
  • Security
  • Email
  • Monitoring and usage management
  • Networking
  • Operating systems
    • Linux
      • Basics
      • Apache
      • Control Panels
      • FTP
      • Magento
      • Miscellaneous
      • MySQL
      • NGINX
      • PHP
      • PHP-FPM
      • Setting up Websites
      • NFS
      • VPN
      • Percona
      • SSH
      • SSL
      • Git
      • Redis
      • Elasticsearch
      • MongoDB
      • Ncdu
    • VMware ESXi
    • Windows
  • Webcelerator
  • MyUKFast
  • Home >
  • Operating systems >
  • Linux >
  • Apache >
  • SSL Certificates

SSL Certificates¶

To allow users to connect to your site over HTTPS you need to install mod\_ssl.

yum install mod_ssl

This will add the file /etc/httpd/conf.d/ssl.conf. If you’re configuring separate vhosts per site (as suggested above), it’s best to delete or comment out the contents of this file underneath this section.

  ##
  ## SSL Virtual Host Context
  ##

  <VirtualHost _default_:443>

  # General setup for the virtual host, inherited from global configuration
  #DocumentRoot "/var/www/html"
  #ServerName www.example.com:443

You then need to add the following section to your vhost configuration:

    SSLEngine on
    SSLProtocol all -SSLv2 -SSLv3 -TLSv1
    SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
    SSLCertificateFile /etc/pki/tls/certs/firstdomain.com.crt
    SSLCertificateKeyFile /etc/pki/tls/private/firstdomain.com.key

Note

The recommended cipher suites and protocols are constantly changing. This site is useful to generate these. - :doc: Mozilla SSL Config Generator <https://mozilla.github.io/server-side-tls/ssl-config-generator/>

If you have a signed (paid for) certificate, this needs to be added to the /etc/pki/tls/certs/firstdomain.com.crt file. Your certificate issuer should have provided you with a CA bundle. This needed to be added underneath your certificate in the same file.

Your private key will need to be added to the /etc/pki/tls/private/firstdomain.com.key file. This file should have its permissions changed to be 600.

chmod 600 /etc/pki/tls/private/firstdomain.com.key

So it can only be read and edited by the root user on your server.

You then need to test the configuration.

httpd -t

And then reload it.

service httpd reload

Fully featured examples of this and other Apache functionality can be found on the following page:

Sample vhosts

Next Article > Example configurations

  • Useful Links
  • SMB
  • Enterprise
  • Channel
  • Public Sector
  • ANS Data Centres
  • About ANS
  • Careers
  • Blog
  • Get in touch
  •  
  • Sales 0800 458 4545
  • Support 0800 230 0032
  • Get in touch

© ANS Group Limited | Terms and Conditions | Corporate Guidance | Sitemap
ANS Group Limited, registered in England and Wales, company registration number 03176761, registered office 1 Archway, Birley Fields, Manchester M15 5QJ