How to configure SSL/TLS in Apache httpd?

Environment

• Red Hat Enterprise Linux (RHEL)
• Red Hat JBoss Core Services (JBCS)
• Apache Web Server
  • httpd
  • mod_ssl

Issue

• How do I configure Apache httpd to use a certificate file for SSL?
• Please let me know about the SSL configuration of JBoss Enterprise Web Server (EWS).
• How to enable https in Apache httpd server?
• Configure SSL in apache web server in redhat linux 6.3
• Please suggest how to do the SSL configuration in web server so that i can access the application using https.
• Please share resources for securing html with successfully installed SSL certificate.
• How to implement https in webserver httpd in Redhat 5.5
• How to configure SSL/TLS in Apache httpd?

Resolution

RHEL documentation has detailed instructions for setting up SSL on Apache:

• RHEL 8 - 1.9. Configuring TLS encryption on an Apache HTTP Server
• RHEL 9 - 1.8. Configuring TLS encryption on an Apache HTTP Server
• RHEL 10 - Chapter 3. Configuring TLS encryption on an Apache HTTP server

For JBoss Core Services (JBCS), most of the instructions are the same as for RHEL's httpd. The mod_ssl module is included by default, so no additional installation is required.

There's a default $JBCS_HOME/httpd/conf.d/ssl.conf file that can be used as a starting point for configuration.

NOTE: $JBCS_HOME is where the JBCS ZIP file is extracted.

The minimum configuration required is:

<VirtualHost *:443>
    ServerName example.com
    # Enable SSL encryption.
    SSLEngine on 
    # The location of the private key, certificate, and chain certificate.
    # Apache expects separate PEM format files for key and certificate, and another for the CA chain.
    # The key file should be readable ONLY by the root user.
    # The certificate file should be readable by the httpd user.
    # The chain certificate file should be readable by the httpd user.
    SSLCertificateKeyFile   </path/to/private.key>
    SSLCertificateFile      </path/to/certificate.crt>
    SSLCertificateChainFile </path/to/chain-cert.crt>
</VirtualHost>

NOTE: update the </path/to/...> with the actual paths to the files.

For production environments, it is recommended to use a certificate authority (CA) certificate. Red Hat is not a CA and does not issue certificates. The process begins by Creating a Certificate Signing Request. Then the CSR must be submitted to a CA for signing. Once signed, the resulting server certificate and the chain certificate are used in the SSLCertificateFile and SSLCertificateChainFile directives.

It is possible to use a self-signed certificate, but it is only recommended for development environments: How to create a self-signed certificate on Red Hat Enterprise Linux with OpenSSL?

Furthermore, it is recommended to configure other settings as well, such as SSLProtocol and SSLCipherSuite. Here is an example:

<VirtualHost *:443>
    ServerName example.com
    # Enable SSL encryption.
    SSLEngine on 
    # The location of the private key, certificate, and chain certificate.
    # Apache expects separate PEM format files for key and certificate, and another for the CA chain.
    # The key file should be readable ONLY by the root user.
    # The certificate file should be readable by the httpd user.
    # The chain certificate file should be readable by the httpd user.
    SSLCertificateKeyFile   </path/to/your/private.key>
    SSLCertificateFile      </path/to/your/certificate.crt>
    SSLCertificateChainFile </path/to/your/chain-cert.crt>
    # Disable all protocols except TLSv1.2 and TLSv1.3
    SSLProtocol -All +TLSv1.2 +TLSv1.3
    # Use a strong cipher suite
    SSLCipherSuite @SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
</VirtualHost>

These values should be adjusted according to business requirements. For example, in case of different protocol or cipher suite, change the SSLProtocol and SSLCipherSuite directives.

If System-wide cryptographic policies in RHEL are used, then the SSLProtocol and SSLCipherSuite directives should be adjusted to match the policy.

Diagnostic Steps

• To view the certificate Common Name (CN):

  # openssl x509 -noout -text -in localhost.crt | grep CN
  

• Test connection to server : How to test SSL connectivity from the command line?

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.