Renewing SSL Certificates for Apache (non-Tomcat)

SSL Certificates on Apache Servers

Configuring SSL on Apache (non-Tomcat) servers is different from Apache Tomcat, although the general steps are the same. This blog post assumes a general understanding of the differences between Apache and Tomcat Apache.

Overview/Architecture

Ordering and renewing an SSL Certificate on Apache Servers consists of the following parts

  1. Generating a CSR
  2. Ordering a Certificate
  3. Importing the resulting certficitate and any intermediate certificates required
  4. Configuring the server to use the key (if necessary)
  5. Restarting Apache

Generating a CSR

Typically, generating a CSR is a pretty straight-forward task.

  • SSH to the server you will be renewing the certificate for
  • Generate the CSR to send to the Certificate Vendor
  • openssl req -new -newkey rsa:2048 -nodes -keyout /path/to/private/key/server.key -out /path/to/your/csr/server.csr
  • Follow the prompts – they will ask you to fill out some identifiable information, including FQDN.

Note: When openssl prompts you for [Name] (or [First Name], depending on openssl version) it is really asking for the FQDN for the certificate you are ordering (eg: fu.bar.org)

  • Open the CSR file with a text editor and copy it (including the BEGIN and END tags)

Ordering a Certificate

  • Go to your CA and request a new certificate.
  • You will be prompted to enter the text of the CSR you generated.
  • Copy the full content of the certreq.csr you made and paste it where requested
  • Fill out other order information as appropriate, and double-check the domain you are getting the certificate for (eg: www.yourdomain.com)

Importing the Certificate

  • Copy the certificates to the server

Configuring the Server

Find the Apache config file to edit

  • The location and name of the config file can vary from server to server.
  • Typically named httpd.conf or apache2.conf.
  • Possible locations for this file include /etc/httpd/ or /etc/apache2/.

For a comprehensive listing of default installation layouts for Apache HTTPD on various operating systems and distributions, see Httpd Wiki – DistrosDefaultLayout.

  • The configuration files may be under a directory like /etc/httpd/vhosts.d/, /etc/httpd/sites/, or in a file called httpd-ssl.conf.
  • One way to locate the SSL Configuration on Linux distributions is to search using grep
grep -i -r "SSLCertificateFile" /etc/httpd/

Where “/etc/httpd/” is the base directory for your Apache installation.

Modifying the Config File

Below is a very simple example of a virtual host configured for SSL.

<VirtualHost 192.168.0.1:443>
DocumentRoot /var/www/html2
ServerName www.yourdomain.com
SSLEngine on
SSLCertificateFile /path/to/your_certificate.crt
SSLCertificateKeyFile /path/to/your_private.key
SSLCertificateChainFile /path/to/intermediate_cert_if_required.crt
SSLCACertificateFile /path/to/rootCA_cert.crt
</VirtualHost>

Test Your Config

Apache won’t start if there is a configuration error.

apachectl configtest

This will test the configuration before commiting changes and will throw an error if Apache won’t restart if you decide to actually do it.

Restart Apache

apachectl stop
apachectl start

Leave a Comment

Your email address will not be published. Required fields are marked *