SSL Certificate on Apache for CentOS 7

Step1: Install the mod_ssl module.

The first step is to install mod_ssl module with the yum command:

$ yum -y install mod_ssl

Step2: Enable the mod_ssl module.

If you have just installed mod_ssl, it may not be enabled yet. To verify whether mod_ssl is enabled, you need to execute:

$ apachectl -M | grep ssl

If you don’t see any output from this last command, then your mod_ssl is disabled. To enable the mod_ssl module, go ahead and restart your httpd Apache web server:

ssl_module (shared)

Step3: Open TCP port 443 to allow incoming traffic with https protocol:

$ firewall-cmd --zone=public --permanent --add-service=https

success

$ firewall-cmd --reload

success

NOTE

You should by now be able to log into your Apache web server via HTTPS protocol. Navigate your browser to https://your-server-ip or https://your-server-hostname to confirm mod_ssl configuration.

Step4: Generating the SSL certificate.

If you don’t already have a proper SSL certificates for your server, use the following command  to make a new self-signed certificate.

For instance, let’s generate a new self-signed certificate for host rhel7 with 365 days until expiry:

$ openssl req -newkey rsa:2048 -nodes -keyout /etc/pki/tls/private/httpd.key -x509 -days 365 -out /etc/pki/tls/certs/httpd.crt

Once the above command has been successfully executed, these two SSL files will be created:

# ls -l /etc/pki/tls/private/httpd.key /etc/pki/tls/certs/httpd.crt

-rw-r--r--. 1 root root 1269 Jan 29 16:05 /etc/pki/tls/certs/httpd.crt

-rw-------. 1 root root 1704 Jan 29 16:05 /etc/pki/tls/private/httpd.key

Step5: Configure Apache web-server with new SSL certificates.

To insert your newly created SSL certificate in the Apache web-server configuration, go ahead and open the    /etc/httpd/conf.d/ssl.conf    file with administrative privileges and edit these lines:

FROM:

SSLCertificateFile /etc/pki/tls/certs/localhost.crt

SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

TO:

SSLCertificateFile /etc/pki/tls/certs/httpd.crt

SSLCertificateKeyFile /etc/pki/tls/private/httpd.key

Once set, you need to restart the httpd Apache web-server:

$ systemctl restart httpd

Step6: Test your mod_ssl configuration

Test through navigating to https://your-server-ip or https://your-server-hostname URL.

Step7: You can optionally redirect all HTTP traffic to HTTPS.

For this, you’ll need to create a new file    /etc/httpd/conf.d/redirect_http.conf    with the following content:

<VirtualHost _default_:80>

         Servername rhel7

         Redirect permanent / https://rhel7/

</VirtualHost>

Restart the httpd daemon to apply the changes made

$ systemctl restart httpd

The configuration above will redirect any traffic from http://rhel7 to https://rhel7 URL.

---------------------------------XXXX------------------------------------------

1- Copy/paste the Certificate files into your server.

Download your SSL Certificate file from your Provider, then paste them into your server’s directory where you will maintain your certificate and key files. Make them possible to read uniquely by root.

2. Install Mod SSL

To install mod_ssl you can check out our installation guide here.

3. Set Up the Certificate

Start by copying your certificate file in /etc/ssl/private

$ mkdir -p /etc/ssl/private

$ chmod 700 /etc/ssl/private

Next is setting up the virtual hosts to showcase the new certificate.

$ sudo vi /etc/httpd/conf.d/ssl.conf

<VirtualHost *:443>

DocumentRoot /var/www/html

ServerName www.example.com

SSLEngine on

SSLCertificateFile /etc/ssl/private/certificate.crt

SSLCertificateKeyFile /etc/ssl/private/private.key

</VirtualHost>

After these edits are completed, save and close the file.

Adjust the file names for them to go with your certificate files:

• “SSLCertificateFile” is supposed to be your certificate file (e.g., your_domain_name.crt).

• “SSLCertificateKeyFile” is supposed to be the key file generated when you made the CSR.

4. Redirect to HTTPS

To redirect traffic to become SSL encrypted, go ahead and open a file ending in .conf in the     /etc/httpd/conf.d      directory:

$ sudo vi /etc/httpd/conf/httpd.conf

<VirtualHost *:80>

        ServerName www.example.com

        Redirect "/" "https://www.example.com/"

</VirtualHost>

Once completed, save and close the file.

5. Verify the config of your Apache before  you restart.

$ apachectl configtest

Restart Apache.

$ systemctl restart httpd

                      ------------------------XXXXX-------------------------

PositiveSSL Certificate, use the following command to combine the intermediate and root certificates:

cat COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt >> bundle.crt

You can download the complete CA-Bundle files for our Certificates here.

Step 2: Locate Apache Configuration File 

The location and the name of the Apache configuration file may differ depending on the server and OS version you’re using. The file may be called httpd.conf, apache2.conf or ssl.conf and may be located at /etc/httpd/, /etc/apache2/ or /etc/httpd/conf.d/ssl.conf.

The configuration file contains the Virtual Hosts for all domains that are hosted on the server.

Note: if you have Apache server installed on the Ubuntu operating system, each site has a separate configuration that can be found at /etc/apache2/sites-enabled/. To have your site accessible via secure and non-secure connection, you will need two separate configuration files: one for port 80 and the other for port 443.

Step 3: Configure Virtual Host Section

You’ll need to add or modify the virtual host for port 443 in the configuration file. 

We recommend you backup the configuration file before making any changes to it. This way you can revert the changes if something goes wrong. Simply copy and save your current *.conf file as *.conf_backup:

cp default-ssl.conf default-ssl.conf_backup

Make sure that the Virtual Host has the following directives, with no # in front of them:

1. SSLEngine on

2. SSLCertificateFile pointed to the location of the Certificate issued for your domain name

3. SSLCertificateKeyFile pointed to the location of your Private Key on the server.

4. SSLCertificateChainFile pointed to the location of the CA-Bundle file.

The Virtual Host for 443 port should look the following way:

</VirtualHost>

Note: starting from Apache 2.4.8, the SSLCertificateChainFile directive became obsolete. Intermediate Certificates can now be added to the SSLCertificateFile.

Step 4: Enabling OCSP Stapling

OCSP Stapling improves performance by providing the clients with up-to-date status of your certificate.

If you want to enable OCSP Stapling for the website, please add the following directive to the Virtual Host:

SSLUseStapling on

Also specify the OCSP cache response location and size outside of the Virtual Host section, using SSLStaplingCache directive:

SSLStaplingCache shmcb:/tmp/stapling_cache(128000)

Note: OCSP Stapling is only enabled for configuration from Apache HTTP server 2.3.3 and higher.

Step 5: Save & Restart

The process varies depending on the exact Apache configuration that you have:

• For Debian-based Apache, you can run this command to test if the new configuration of your Apache service has the proper syntax:

apachectl -t

If the syntax is OK, save your changes in the configuration file and restart Apache using these apachectl commands:

apachectl restart

apachectl stop

apachectl start

• For RHEL-based distributive (CentOS, RedHat, etc.), you can check the syntax by running:

httpd -t

If it returns Syntax OK, you can proceed with the Apache restart:

sudo service httpd restart

And this command can be used to see whether the last SSL configuration file was added to the settings (check the *.443: line in output):

httpd -S

Install an SSL Certificate on CentOS 8

Step 1: Ensure that mod_ssl is installed on your system

You can check this via the following command:

rpm -qa | grep mod_ssl

If it’s not, install it with

dnf install mod_ssl

Step 2: Create the chain of your SSL certificate

It must include the private key, as well as the root, intermediate and server certificates.

cat pub-key.pem ca-chain.pem > full-chain.pem

Place the PEM file with the SSL chain in the following directory on your Apache server: /etc/pki/tls/certs

Place the private key in the /etc/pki/tls/private/ folder.

Secure your private key by making it inaccessible to other users:

chmod -R 600 /etc/pki/tls/private/

Step 3: Configure the Virtual Host block

In the configuration file for your domain (with .conf extension), insert the following block of code:

SSLEngine on
# The path to the complete chain of your SSL certificate
SSLCertificateFile /etc/pki/tls/certs/full-chain.pem
# The path to the private key
SSLCertificateKeyFile /etc/pki/tls/private/privkey.pem
# The path to the content of your website.

AllowOverride All

# The path to the content of your website
DocumentRoot /var/www/yourdomain.com
# Domain name of your website
ServerName yourdomain.com
ServerAlias yourdomain.com

Replace yourdomain.com with your actual domain name.

If you don’t have a configuration file, create it via

nano /etc/httpd/conf.d/yourdomain.conf

and place it in the /etc/httpd/conf.d/ directory.

Add HTTPS redirects to your .conf file:

ServerName yourdomain.com
ServerAlias www.yourdomain.com
Redirect "/" "https://yourdomain.com/"

Step 4: Save the changes and close the file

Step 5: Restart Apache:

systemctl restart httpd

How to Install an SSL Certificate on CentOS 7 & 6

Step 1: Download the certificates

Download the primary and intermediate certificates that you’ve obtained from your SSL provider

Step 2: Copy your SSL files to your Apache server

Make sure the .key file that you created along the CSR generation is also present on your server

Step 3: Locate and edit the httpd.conf or ssl.conf file in the Apache configuration

Uses the cp and nano commands:

# cp /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/ssl.conf.BAK

# nano /etc/httpd/conf.d/ssl.conf

If one or more files are commented out, remove the # character from the starting line, and enter the absolute path according to your Apache version.

For Apache versions older than the 2.4.8 release have the following directives and path:

• SSLCertificateFile – The path of your certificate file

• SSLCertificateKeyFile – The path of your key file

• SSLCertificateChainFile – The intermediate bundle path.

For Apache version 2.4.8 and higher have the following directives and path:

• SSLCertificateFile – The path of your certificate file

• SSLCertificateKeyFile – The path of your key file

• SSLCertificatePath – The intermediate bundle path.

Here’s an example of your certificates’ absolute file path. You can copy-paste the code below, but make sure to specify the correct names of your files.

SSLCertificateFile /etc/httpd/conf/ssl.crt/your_leaf_certificate.crt SSLCertificateKeyFile /etc/httpd/conf/ssl.key/your_domain_name.key

SSLCACertificatePath /etc/httpd/conf/ssl.chain/your_intermediate_chain.crt

Note: Remember to change the permission of the certificate key file:

# chmod 400 /etc/httpd/conf/ssl.key/your_domain_name.com.key

Step 4: Restart the Apache

                                         ------XXXXX-----

- Copy/paste the Certificate files into your server.

Download your SSL Certificate file from your Provider, then paste them into your server’s directory where you will maintain your certificate and key files. Make them possible to read uniquely by root.

2. Install Mod SSL

To install mod_ssl you can check out our installation guide here.

3. Set Up the Certificate

Start by copying your certificate file in /etc/ssl/private

$ mkdir -p /etc/ssl/private

$ chmod 700 /etc/ssl/private

Next is setting up the virtual hosts to showcase the new certificate.

$ sudo vi /etc/httpd/conf.d/ssl.conf

<VirtualHost *:443>

DocumentRoot /var/www/html

ServerName www.example.com

SSLEngine on

SSLCertificateFile /etc/ssl/private/certificate.crt

SSLCertificateKeyFile /etc/ssl/private/private.key

</VirtualHost>

After these edits are completed, save and close the file.

Adjust the file names for them to go with your certificate files:

• “SSLCertificateFile” is supposed to be your certificate file (e.g., your_domain_name.crt).

• “SSLCertificateKeyFile” is supposed to be the key file generated when you made the CSR.

4. Redirect to HTTPS

To redirect traffic to become SSL encrypted, go ahead and open a file ending in .conf in the /etc/httpd/conf.d directory:

$ sudo vi /etc/httpd/conf/httpd.conf

<VirtualHost *:80>

        ServerName www.example.com

        Redirect "/" "https://www.example.com/"

</VirtualHost>

Once completed, save and close the file.

5. Verify the config of your Apache before  you restart.

$ apachectl configtest

Restart Apache.

$ systemctl restart httpd

You are now ready to use the SSL certificate along with your Apache-SSL server.

                       ------XXXXX-----

SSL Certificate on Apache for CentOS 7

1. Copy the Certificate files to your server.

Download your SSL Certificate file from your SSL Provider, then copy them to the directory on your server where you will keep your certificate and key files. Make them readable by root only.

2. Install Mod SSL

In order to set up the self-signed certificate, we first have to be sure that mod_ssl, an Apache module that provides support for SSL encryption, is installed the server:

# yum -y install httpd mod_ssl

 systemctl enable httpd.service

systemctl start httpd.service

3. Set Up the Certificate

First copy your certificate file in /etc/ssl/private

mkdir -p /etc/ssl/private

chmod 700  /etc/ssl/private

The next thing to do is to set up the virtual hosts to display the new certificate.

# vi /etc/httpd/conf.d/ssl.conf

When you are finished making these changes, you can save and close the file.

Adjust the file names to match your certificate files:

• SSLCertificateFile should be your certificate file (eg. your_domain_name.crt).

• SSLCertificateKeyFile should be the key file generated when you created the CSR.

4. Redirect to HTTPS

To redirect all traffic to be SSL encrypted, create and open a file ending in .conf in the /etc/httpd/conf.d directory:

#   vi /etc/httpd/conf/httpd.conf

<VirtualHost *:80>

       ServerName www.example.com

       Redirect "/" "https://www.example.com/"

</VirtualHost>

Save and close this file when you are finished.

5. Test your Apache config before restarting.

apachectl configtest

Restart Apache.

systemctl restart httpd

---                                     ------XXXXX-----