How to work with the module

The following steps describe how to work with the module:

  1. Before starting the module, make sure the virtual host is listening on port 80 by typing your domain name in the browser.

  2. After installing mod_md, add the configuration files to /etc/apache2/sites-enabled.

    Enabled sites in Apache
  3. Execute the following command for the configuration to take effect:

    systemctl reload apache2
    • Once the Apache service is reloaded, the module performs the following:

      • Reads every configuration file from the /etc/apache2/sites-enabled directory.

      • Checks whether the /etc/apache2/md/staging/<domain name>/pubcert.pem file is already present:

        • If yes, checks whether the certificate is nearing expiry.

          • If the certificate is nearing expiry, it will be renewed by contacting the Sectigo ACME server.

          • If not, then no changes will be applied to the certificate.

      • If the /etc/apache2/md/staging/<domain name>/pubcert.pem file is not present, then the module performs the following actions:

        • Connects to Sectigo ACME Server using the EAB values

        • Registers the ACME account with the Sectigo ACME server

        • Generates a new key pair (private and public)

        • Generates a certificate signing request (CSR) using the public key

        • Connects to the Sectigo ACME server using the authenticated token created during the account registration

        • Submits the CSR to request a new certificate

        • Uploads the CA chain and new server certificate to the /etc/apache2/md/staging/<domain name> directory

        • Names the certificate:

          • pubcert.pem for RSA keys. The pubcert.pem file contains the entire CA chain, including the server certificate.

          • pubcert.secp256r1.pem for ECDSA keys

  4. Run the following command to read the certificate content.

    /etc/apache2/md/domains/ openssl x509 -in pubcert.pem -noout -text
  5. In order to enable SSL on the virtual hosts, the path of the server certificate and key should be provided to the SSL module. This would happen only after the second reload of the Apache service.

  6. Execute the following command the second time for the SSL configuration to take effect.

    systemctl reload apache2
    Second time execution of the service reload is mandatory for new configurations. The first reload activates your configuration changes. The second reload, when the certificate has been obtained, activates the certificate. This is not required for renewal.
    • The key and certificate from /etc/apache2/md/staging/<domain name> will be moved to /etc/apache2/md/domains/<domain name>.

    • SSL will be enabled on the virtual hosts using the configuration provided in the <domain>.conf file.

  7. Open your browser and access https://<domainname> to confirm the website is enabled with HTTPS using Sectigo CA issued certificate.

    Enabled HTTPS
    View certificate details
  8. Log in to SCM portal using administrator credentials (issued to your organization) and check the status and details of the issued certificates:

    • Private Certificates  Status  Issued

      Certificate status issued
    • Public Certificates  Status  External

      Certificate status external
  9. Select the certificate and click View to see the details of the certificate in SCM.

    Certificate details in SCM