วิธีการติดตั้ง SSL Certificate สำหรับ ApacheSSL

When your issuance email arrives it will contain your instructions on how to download your SSL Certificate.
 
Copy and Paste the Thawte certificate in the X509 format  into a text editor such as Notepad including the header and footer.
 
You should then have a text file that looks like:  
 
-----BEGIN CERTIFICATE-----

[encoded data]

-----END CERTIFICATE-----  
 
Make sure you have 5 dashes to either side of the BEGIN CERTIFICATE and END CERTIFICATE and that no white space, extra line breaks or additional characters have been inadvertently added. 
 
1. Save the certificate file in your text editor as domainname.crt
 
     Note: The examples below use the following naming conventions:
 
    "Your Private Key" = "domainname.key"; "Your Web Server Certificate" = "domainname.crt"

2. Copy the certificate to the Apache server directory in which you plan to store your certificates (by default: /usr/local/apache/conf/ssl.crt/ or /etc/httpd/conf/ssl.crt/).

3. Open the Apache httpd.conf file in a text editor. Locate the SSL VirtualHost associated with your certificate, verify that you have the following 2 directives within this virtual host. Please add them if they are not present:
 
     -  SSLCertificateFile /usr/local/apache/conf/ssl.crt/domainname.crt 
 
     -  SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/domainname.key

Note: that some instances of Apache will store Virtual Host information in a ssl.conf file. If your httpd.conf contains no Virtual Host information then you will need to locate and amend the ssl.conf as above.

4. Save the changes and exit the editor.
 
5. Start or Restart your apache web server. 
 
Additional information:
 
Your httpd.conf should contain some or all of the following directives (for an IP based site). Those directives marked in bold are SSL related. Those directives marked in italics should only be used for troubleshooting. 
<VirtualHost 192.168.1.1:443>
 
DocumentRoot /var/www/html
 
ServerName 192.168.1.98
 
ServerAdmin someone@your.domain
 
ErrorLog /etc/httpd/logs/ssl_error_log
 
TransferLog /etc/httpd/logs/ssl_access_log
 
SSLEngine On
 
SSLCertificateFile /etc/httpd/conf/ssl.crt/domainname.crt
 
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/domainname.key
 
SSLSessionCache dbm:/var/cache/httpd/ssl_cache
 
SSLSessionCacheTimeout 300
 
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
 
</VirtualHost> 

SSLSessionCache & SSLSessionCacheTimeout prevent known issues with Mac Internet Explorer compatibility with Apache. You are only advised to add these directives if you are experiencing Mac compatibility issues.

SetEnvIf User-Agent fixes the Intermittant Server Errors associated with some versions of Windows Internet Explorer. You are only advised to add this directive if you are experiencing compatibility issues with old versions of Internet Explorer.

For more information about configuring Apache, please review http://httpd.apache.org/docs-2.0/mod/mod_ssl.html 

Test your certificate by using a browser to connect to your server.

Use the https protocol directive (e.g. https://your server/) to indicate you wish to use secure HTTP.

The padlock icon on your browser will be displayed in the locked position if your certificates are installed correctly and the server is properly configured for SSL.

Comments