Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 3. Configuring TLS encryption on an Apache HTTP server

By default, Apache distributes content to clients by using an unsecured HTTP connection. To secure web traffic, you can enable TLS encryption and configure often used encryption-related settings on an Apache HTTP Server.

You can secure web traffic by installing mod_ssl. Configure the virtual host to use the IdM-issued private key and certificate to enable encrypted HTTPS connections for the domain by using the sub-CA credentials.

Prerequisites

  • The Apache HTTP Server is installed and running.

  • The private key is stored in the /etc/pki/tls/private/example.com.key file.

    For details about creating a private key and certificate signing request (CSR), and how to request a certificate from a certificate authority (CA), see documentation of your CA.

  • The TLS certificate is stored in the /etc/pki/tls/certs/example.com.crt file. If you use a different path, follow the corresponding steps of the procedure.
  • The CA certificate is stored in the /etc/pki/tls/certs/ca.crt file. If you use a different path, follow the corresponding steps of the procedure.
  • The clients and the web server resolve the hostname of the server to the IP address of the web server.
  • If the server runs Red Hat Enterprise Linux 10 (RHEL) and the Federal Information Processing Standards (FIPS) mode is enabled, clients must either support the Extended Master Secret (EMS) extension or use Transport Layer Security (TLS) 1.3. TLS 1.2 connections without EMS fail. For details, see the Red Hat Knowledgebase solution TLS extension "Extended Master Secret" enforced.

Procedure

  1. Install the mod_ssl package: 

    # dnf install mod_ssl
    Copy to Clipboard Toggle word wrap

  2. Edit the /etc/httpd/conf.d/ssl.conf file and add the following settings to the <VirtualHost _default_:443> directive:

    1. Set the server name: 

      ServerName example.com
      Copy to Clipboard Toggle word wrap

      The server name must match the entry set in the Common Name field of the certificate.

    2. Optional: If the certificate includes additional host names in the Subject Alt Names (SAN) field, you can configure mod_ssl to provide TLS encryption also for these host names. To configure this, add the ServerAliases parameter with corresponding names: 

      ServerAlias www.example.com server.example.com
      Copy to Clipboard Toggle word wrap

    3. Set the paths to the private key, the server certificate, and the CA certificate: 

      SSLCertificateKeyFile "/etc/pki/tls/private/example.com.key"
SSLCertificateFile "/etc/pki/tls/certs/example.com.crt"
SSLCACertificateFile "/etc/pki/tls/certs/ca.crt"
      Copy to Clipboard Toggle word wrap

  3. For security reasons, configure that only the root user can access the private key file: 

    # chown root:root /etc/pki/tls/private/example.com.key
    Copy to Clipboard Toggle word wrap 
    # chmod 600 /etc/pki/tls/private/example.com.key
    Copy to Clipboard Toggle word wrap
    Warning

    If unauthorized users access the private key, revoke the certificate, create a new private key, and request a new certificate. Otherwise, the TLS connection is no longer secure.

    • Open a web browser and connect to https://example.com.

By default, the Apache HTTP Server on RHEL uses the system-wide cryptographic policy that defines safe default values, which are also compatible with recent browsers. For example, the DEFAULT policy defines that only the TLSv1.2 and TLSv1.3 protocol versions are enabled in Apache HTTP Server.

You can manually configure TLS protocol versions that the Apache HTTP Server supports. You need to enable only specific TLS protocol versions in your environment in these cases:

  • If your environment requires that clients can also use the weak TLS1 (TLSv1.0) or TLS1.1 protocol.
  • If you want to configure that Apache only supports the TLSv1.2 or TLSv1.3 protocol.

Prerequisites

  • You have enabled transport layer security (TLS) encryption on the server.
  • If the server runs Red Hat Enterprise Linux 10 (RHEL) and the Federal Information Processing Standards (FIPS) mode is enabled, clients must either support the Extended Master Secret (EMS) extension or use Transport Layer Security (TLS) 1.3. TLS 1.2 connections without EMS fail. For details, see the Red Hat Knowledgebase solution TLS extension "Extended Master Secret" enforced.

Procedure

  1. Edit the /etc/httpd/conf/httpd.conf file and add the <VirtualHost> directive for which you want to set the TLSv1.3 protocol version: 

    SSLProtocol -All TLSv1.3
    Copy to Clipboard Toggle word wrap

  2. Restart the httpd service: 

    # systemctl restart httpd
    Copy to Clipboard Toggle word wrap

Verification

  1. Verify support for TLSv1.3: 

    # openssl s_client -connect example.com:443 -tls1_3
    Copy to Clipboard Toggle word wrap

  2. Verify support for TLSv1.2: 

    # openssl s_client -connect example.com:443 -tls1_2
    Copy to Clipboard Toggle word wrap

    If the server does not support the protocol, the command returns an error: 

    140111600609088:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:ssl/record/rec_layer_s3.c:1543:SSL alert number 70
    Copy to Clipboard Toggle word wrap
  3. Optional: Repeat the command for other TLS protocol versions.

By default, the Apache HTTP Server uses the system-wide cryptographic policy that defines safe default values, which are also compatible with recent browsers. For the list of ciphers the system-wide cryptographic policy allows, see the /etc/crypto-policies/back-ends/openssl.config file.

You can manually configure ciphers that the Apache HTTP Server supports.

Prerequisites

  • You have enabled Transport Layer Security (TLS) encryption on the server.

Procedure

  1. Install the nmap package: 

    # dnf install nmap
    Copy to Clipboard Toggle word wrap

  2. Edit the /etc/httpd/conf/httpd.conf file and add the SSLCipherSuite parameter to the <VirtualHost> directive for which you want to set the TLS ciphers: 

    SSLCipherSuite "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!SHA1:!SHA256"
    Copy to Clipboard Toggle word wrap

    This example enables only the EECDH+AESGCM, EDH+AESGCM, AES256+EECDH, and AES256+EDH ciphers and disables all ciphers that use the SHA1 and SHA256 message authentication code (MAC).

  3. Restart the httpd service: 

    # systemctl restart httpd
    Copy to Clipboard Toggle word wrap

Verification

  • Display the supported ciphers: 

    # nmap --script ssl-enum-ciphers -p 443 example.com
    Copy to Clipboard Toggle word wrap 
    ...
PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers:
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
|       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
...
    Copy to Clipboard Toggle word wrap
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2026 Red HatBack to top