The default Apache installation comes with below 2 files, that helps to enable SSL.
1) httpd.conf
2) ssl.conf
Quick Steps to enable SSL in Apache webserver.
Step1.
Include the mod_ssl.so to be loaded during startup
LoadModule ssl_module “path to mod_ssl.so”
#Default Path = /etc/httpd/modules/mod_ssl.so
If mod_ssl.so is not available, install it using the below command
yum install mod_ssl
This will create the mod_ssl.so under /etc/httpd/modules/, which is the default module path
Step2.
The SSL configurations can be placed in the httpd.conf directly, however the best practice is to place them under ssl.conf, which is insourced by the below Include in httpd.conf
Include conf.modules.d/*.conf
If using ssl.conf, make sure that it is present in the above path, or Include it separately in httpd.conf
Step3.
Add the below snippet in ssl.conf
Listen 443 https
<VirtualHost _default_:443>
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
##### BELOW 3 PARAMETERS ARE OPTIONAL AND ONLY REQUIRED TO ENABLE TWO-WAY SSL#####
SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
SSLVerifyClient require
SSLVerifyDepth 10
###################################
</VirtualHost>
Use FREE SSL CERT to get CA signed certificates with PrivateKey, leaf , intermediate and root certificates for free to try out the SSL configuration in your environment. This will enable real time simulation of actual CA Certificates (e.g. those from Digicert, Entrust etc.) without incurring any cost.
Deep Dive in to the above parameters
SSLCertificateFile
This is the Apache webserver certificate that is presented to clients for verification.
SSLCertificateKeyFile
This is the Apache webserver PrivateKey.
SSLCertificateChainFile
SSLCertificateChainFile points to a file containing the concatenation of PEM encoded CA certificates, which form the certificate chain for the server certificate. Alternatively, the referenced file can be the same as SSLCertificateFile, when the CA certificates are directly appended to the server certificate for convenience.
SSLCACertificateFile
Set the CA certificate verification path where to find CA certificates for client authentication or alternatively one huge file containing all of them (file must be PEM encoded)
SSLVerifyClient
Client certificate verification type. Types are none, optional, require and optional_no_ca.
SSLVerifyDepth
The depth actually is the maximum number of intermediate certificate issuers, i.e. the number of CA certificates which are max allowed to be followed while verifying the client certificate. A depth of 0 means that only self-signed client certificates are accepted, the default depth of 1 means the client certificate can be self-signed or has to be signed by a CA which is directly known to the server (i.e. the CA’s certificate is under SSLCACertificatePath). In a normal scenario, where a leaf certificate is signed by an intermediate CA, which, intern, is signed by a Root CA, the SSLVerifyDepth has to be 2.
For a detailed and basic understanding of SSL, follow this link