1 - Load mod_ssl
First, simply uncomment the following line in the httpd.conf file. To modify the httpd.conf file we will use nano text editor.
httpd.conf file is usually located at: /etc/apache2/httpd.conf. It's recommended to make a copy of httpd.conf file just in case we brake something.
$ cd /etc/apache2/ $ sudo cp httpd.conf httpd.conf.old $ sudo nano httpd.conf
Find the following line and uncomment it. Just in case you are not sure, comments have a leading pound/hash symbol ( # ) – just remove it.
2 - Include httpd-ssl.conf File
While we still have the httpd.conf file open, we also need to uncomment the line that includes the httpd-ssl.conf file.
3 - Add VirtualHost to httpd-ssl.conf
The last step is to configure a new virtual host that is bound to port 443 (HTTPS). There is already a sample
<VirtualHost> record in the httpd-ssl.conf file. I suggest you first remove it or comment it all out so that you can just paste in the necessary code at the bottom of the file.
httpd-ssl.conf file is usually located at: /etc/apache2/conf/httpd-ssl.conf
You will need to open the file using nano (you can create a copy first for security reasons):
$ cd /etc/apache2/extra $ sudo cp httpd-ssl.conf httpd-ssl.conf.old $ sudo nano httpd-ssl.conf
The first step is to declare a new virtual host using the <VirtualHost> directive.
General Virtual Host Settings
Next, within the
<VirtualHost> directive, we will declare some basic host settings:
DocumentRoot: absolute path to the webroot for the site
ServerName: the fully qualified domain name (FQDN)
ErrorLog: location of the error log
CustomLog: location of the access log
To enable the SSL engine in Apache we simply add set the setting to “on”.
#SSL Engine Switch SSLEngine on
Convert .pfx to .crt and .key
A .pfx (Personal Information Exchange Format) is a file that enables the transfer of certificates and their private keys, it contains the public key file (SSL certificate file) .crt and the associated private key file .key.
In order to configure our Virtual Host, if we have a pfx file we will need to treat the private key and the certificate.
To extract the certificate:
$ openssl pkcs12 -in [yourfile.pfx] -clcerts -nokeys -out [certificate.crt]
To extract the key:
$ openssl pkcs12 -in [yourfile.pfx] -nocerts -out [keyfile-encrypted.key]
Sometimes it's needed to have an unencrypted .key file to import on some devices. I probably don’t need to mention that you should be careful. If you store your unencrypted keypair somewhere in an unsafe location anyone can have a go with it and impersonate for instance a website or a person in your company. So always be extra careful when it comes to private keys!
openssl rsa -in [keyfile-encrypted.key] -out [keyfile-decrypted.key]
Specify certificate and private key
Using the paths as I described at the beginning, we will tell the SSL engine the location of the certificate request file (csr) and the private host key (.key).
#Server Certificate: SSLCertificateFile "/private/etc/apache2/ssl/certificate.crt"
#Server Private Key: SSLCertificateKeyFile "/private/etc/apache2/ssl/keyfile-decrypted.key
4 - Test Configuration and restart Apache
$ sudo apachectl -t $ sudo apachectl restart
All done. You are now serving your website over HTTPS using Apache.