[id='securing-apache-httpd'] = Securing Apache HTTPD To enable TLS/SSL support, download and install one of the following packages: * https://apps.fedoraproject.org/packages/mod_ssl[mod_ssl], based on https://www.openssl.org[OpenSSL] * https://apps.fedoraproject.org/packages/mod_gnutls[mod_gnutls], based on https://www.gnutls.org/[GnuTLS] * https://apps.fedoraproject.org/packages/mod_nss[mod_nss], based on https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS[NSS] [id='using-mod-ssl'] == Using mod_ssl [id='installing-mod-ssl'] === Installing mod_ssl The https://apps.fedoraproject.org/packages/mod_ssl[mod_ssl] package will be automatically enabled post installation. Install the https://apps.fedoraproject.org/packages/mod_ssl[mod_ssl] package using the following command: ---- sudo dnf install mod_ssl -y ---- [id='generating-new-certificate'] === Generating a new certificate To generate a new certificate, refer to https://fedoraproject.org/wiki/Https#openssl[Create a certificate using OpenSSL]. // The topic ID can be used here instead of the absolute link. Have used absolute link as the destination content in question is in a topic that may not be a part of this activity. [id='installing-existing-certificate'] === Installing an existing certificate If you already have a certificate generated on another computer, do the following: . Move the certificate and the key file to the correct folder + ---- sudo mv key_file.key /etc/pki/tls/private/myhost.com.key sudo mv certificate.crt /etc/pki/tls/certs/myhost.com.crt ---- + . Ensure that the following parameters are correct: + .. SELinux contexts + ---- restorecon /etc/pki/tls/private/myhost.com.key restorecon /etc/pki/tls/certs/myhost.com.crt ---- + .. Ownership + ---- sudo chown root.root /etc/pki/tls/private/myhost.com.key sudo chown root.root /etc/pki/tls/certs/myhost.com.crt ---- + .. Permissions + ---- sudo chmod 0600 /etc/pki/tls/private/myhost.com.key sudo chmod 0600 /etc/pki/tls/certs/myhost.com.crt ---- After installing the existing certificate, set up the certificate using <>. [id='mod-ssl-configuration'] === mod_ssl configuration The default TLS/SSL configuration is contained in the file `/etc/httpd/conf.d/ssl.conf`. In the `ssl.conf` file, following are the directives that specify where the TLS/SSL certificate and key are located: ---- SSLCertificateFile /etc/pki/tls/certs/localhost.crt SSLCertificateKeyFile /etc/pki/tls/private/localhost.key ---- These directives are enclosed in a block defining a https://httpd.apache.org/docs/current/vhosts/[virtual host]: ---- ... SSLCertificateFile /etc/pki/tls/certs/localhost.crt ... SSLCertificateKeyFile /etc/pki/tls/private/localhost.key ... ---- To define a different location for these files, do the following: . Create a copy of the `/etc/httpd/conf.d/ssl.conf` file and renew the file to `z-ssl-local.conf`. + . Edit the following lines in the `z-ssl-local.conf` file: ---- SSLCertificateFile /etc/pki/tls/certs/www.myhost.org.crt SSLCertificateKeyFile /etc/pki/tls/private/www.myhost.org.key ---- This file will override the two settings for the `pass:[_default_]:443` virtual host; all other settings from `ssl.conf` will be retained. [id='settings-individual-virtual-hosts'] === Settings for individual virtual hosts To use SSL/TLS for a specific virtual host with a different certificate as default, do the following: . Open that virtual host's configuration file `/etc/httpd/conf.d/hostname.conf`. + . Insert these lines between `` and ``: + ---- SSLEngine on SSLCertificateFile /etc/pki/tls/certs/hostname.crt SSLCertificateKeyFile /etc/pki/tls/private/hostname.key ----