Difference between revisions of "Installing SSL certificate in Apache"
From Notes_Wiki
m |
m |
||
(7 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
[[Main Page|Home]] > [[CentOS]] > [[CentOS 6.x]] > [[Apache web server configuration]] > [[Installing SSL certificate in Apache]] | |||
[[Main Page|Home]] > [[Security tips]] > [[Installing SSL certificate in Apache]] | |||
For installation of certificate in apache use following steps: | For installation of certificate in apache use following steps: | ||
# Copy all (certificate, key, CA bundle) to /etc/httpd/conf folder | # Copy all (certificate, key, CA bundle) to /etc/httpd/conf folder | ||
Line 19: | Line 20: | ||
#Edit /etc/httpd/conf/ssl.conf and replace/insert following two values | #Edit /etc/httpd/conf/ssl.conf and replace/insert following two values | ||
#:<pre> | #:<pre> | ||
#::SSLProtocol all -SSLv2 -SSLv3 | #:: SSLEngine on | ||
#::SSLHonorCipherOrder on | #:: SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 | ||
#::SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA | #:: SSLHonorCipherOrder on | ||
#:: SSLCipherSuite "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA!RC4:EECDH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS" | |||
#:: Header always set Strict-Transport-Security "max-age=31536000" | |||
#:</pre> | #:</pre> | ||
#::In case of Virtualhost '<tt>SSLEngine On</tt>' line is also required. | #::In case of Virtualhost '<tt>SSLEngine On</tt>' line is also required. | ||
#Check ranking of HTTPS security using https://www.ssllabs.com/ssltest/index.html | #Check ranking of HTTPS security using https://www.ssllabs.com/ssltest/index.html | ||
Refer: | |||
* https://www.mysterydata.com/how-to-get-a-score-rating-in-ssllabs-qualys/ | |||
[[Main Page|Home]] > [[CentOS]] > [[CentOS 6.x]] > [[Apache web server configuration]] > [[Installing SSL certificate in Apache]] | |||
[[Main Page|Home]] > [[Security tips]] > [[Installing SSL certificate in Apache]] | |||
Latest revision as of 04:19, 18 April 2022
Home > CentOS > CentOS 6.x > Apache web server configuration > Installing SSL certificate in Apache
Home > Security tips > Installing SSL certificate in Apache
For installation of certificate in apache use following steps:
- Copy all (certificate, key, CA bundle) to /etc/httpd/conf folder
- chmod 400 ssl.key
- Edit /etc/httpd/conf.d/ssl.conf and replace appropriate values. Following three values need to be updated:
- SSLCertificateFile /etc/httpd/conf/ssl.pem
- SSLCertificateKeyFile /etc/httpd/conf/ssl.key
- SSLCACertificateFile /etc/httpd/conf/ca-bundle.pem
- Restart apache and verify that certificate is working as expected.
Securing Apache SSL configuration
Default SSL configuration of apache is vulnerable to many attacks. We can improve apache SSL configuration as follows:
- Edit /etc/httpd/conf/ssl.conf and replace/insert following two values
- SSLEngine on
- SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
- SSLHonorCipherOrder on
- SSLCipherSuite "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA!RC4:EECDH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS"
- Header always set Strict-Transport-Security "max-age=31536000"
-
- In case of Virtualhost 'SSLEngine On' line is also required.
- Check ranking of HTTPS security using https://www.ssllabs.com/ssltest/index.html
Refer:
Home > CentOS > CentOS 6.x > Apache web server configuration > Installing SSL certificate in Apache