SSL
SSL Certificate on Apache for CentOS 7
Step1: Install the mod_ssl module.
The first step is to install mod_ssl module with the yum command:
$ yum -y install mod_ssl
Step2: Enable the mod_ssl module.
If you have just installed mod_ssl, it may not be enabled yet. To verify whether mod_ssl is enabled, you need to execute:
$ apachectl -M | grep ssl
If you don’t see any output from this last command, then your mod_ssl is disabled. To enable the mod_ssl module, go ahead and restart your httpd Apache web server:
ssl_module (shared)
Step3: Open TCP port 443 to allow incoming traffic with https protocol:
$ firewall-cmd --zone=public --permanent --add-service=https
success
$ firewall-cmd --reload
success
NOTE
You should by now be able to log into your Apache web server via HTTPS protocol. Navigate your browser to https://your-server-ip or https://your-server-hostname to confirm mod_ssl configuration.
Step4: Generating the SSL certificate.
If you don’t already have a proper SSL certificates for your server, use the following command to make a new self-signed certificate.
For instance, let’s generate a new self-signed certificate for host rhel7 with 365 days until expiry:
$ openssl req -newkey rsa:2048 -nodes -keyout /etc/pki/tls/private/httpd.key -x509 -days 365 -out /etc/pki/tls/certs/httpd.crt
Generating a RSA private key................+++++..........+++++writing new private key to '/etc/pki/tls/private/httpd.key'-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]:AUState or Province Name (full name) []:Locality Name (eg, city) [Default City]:Organization Name (eg, company) [Default Company Ltd]:LinuxConfig.orgOrganizational Unit Name (eg, section) []:Common Name (eg, your name or your server's hostname) []:rhel7Email Address []:Once the above command has been successfully executed, these two SSL files will be created:
# ls -l /etc/pki/tls/private/httpd.key /etc/pki/tls/certs/httpd.crt
-rw-r--r--. 1 root root 1269 Jan 29 16:05 /etc/pki/tls/certs/httpd.crt
-rw-------. 1 root root 1704 Jan 29 16:05 /etc/pki/tls/private/httpd.key
Step5: Configure Apache web-server with new SSL certificates.
To insert your newly created SSL certificate in the Apache web-server configuration, go ahead and open the /etc/httpd/conf.d/ssl.conf file with administrative privileges and edit these lines:
FROM:
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
TO:
SSLCertificateFile /etc/pki/tls/certs/httpd.crt
SSLCertificateKeyFile /etc/pki/tls/private/httpd.key
Once set, you need to restart the httpd Apache web-server:
$ systemctl restart httpd
Step6: Test your mod_ssl configuration
Test through navigating to https://your-server-ip or https://your-server-hostname URL.
Step7: You can optionally redirect all HTTP traffic to HTTPS.
For this, you’ll need to create a new file /etc/httpd/conf.d/redirect_http.conf with the following content:
<VirtualHost _default_:80>
Servername rhel7
Redirect permanent / https://rhel7/
</VirtualHost>
Restart the httpd daemon to apply the changes made
$ systemctl restart httpd
The configuration above will redirect any traffic from http://rhel7 to https://rhel7 URL.
---------------------------------XXXX------------------------------------------
1- Copy/paste the Certificate files into your server.
Download your SSL Certificate file from your Provider, then paste them into your server’s directory where you will maintain your certificate and key files. Make them possible to read uniquely by root.
2. Install Mod SSL
To install mod_ssl you can check out our installation guide here.
3. Set Up the Certificate
Start by copying your certificate file in /etc/ssl/private
$ mkdir -p /etc/ssl/private
$ chmod 700 /etc/ssl/private
Next is setting up the virtual hosts to showcase the new certificate.
$ sudo vi /etc/httpd/conf.d/ssl.conf
<VirtualHost *:443>
DocumentRoot /var/www/html
ServerName www.example.com
SSLEngine on
SSLCertificateFile /etc/ssl/private/certificate.crt
SSLCertificateKeyFile /etc/ssl/private/private.key
</VirtualHost>
After these edits are completed, save and close the file.
Adjust the file names for them to go with your certificate files:
“SSLCertificateFile” is supposed to be your certificate file (e.g., your_domain_name.crt).
“SSLCertificateKeyFile” is supposed to be the key file generated when you made the CSR.
4. Redirect to HTTPS
To redirect traffic to become SSL encrypted, go ahead and open a file ending in .conf in the /etc/httpd/conf.d directory:
$ sudo vi /etc/httpd/conf/httpd.conf
<VirtualHost *:80>
ServerName www.example.com
Redirect "/" "https://www.example.com/"
</VirtualHost>
Once completed, save and close the file.
5. Verify the config of your Apache before you restart.
$ apachectl configtest
Restart Apache.
$ systemctl restart httpd
------------------------XXXXX-------------------------
PositiveSSL Certificate, use the following command to combine the intermediate and root certificates:
cat COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt >> bundle.crt
You can download the complete CA-Bundle files for our Certificates here.
Step 2: Locate Apache Configuration File
The location and the name of the Apache configuration file may differ depending on the server and OS version you’re using. The file may be called httpd.conf, apache2.conf or ssl.conf and may be located at /etc/httpd/, /etc/apache2/ or /etc/httpd/conf.d/ssl.conf.
The configuration file contains the Virtual Hosts for all domains that are hosted on the server.
Note: if you have Apache server installed on the Ubuntu operating system, each site has a separate configuration that can be found at /etc/apache2/sites-enabled/. To have your site accessible via secure and non-secure connection, you will need two separate configuration files: one for port 80 and the other for port 443.
Step 3: Configure Virtual Host Section
You’ll need to add or modify the virtual host for port 443 in the configuration file.
We recommend you backup the configuration file before making any changes to it. This way you can revert the changes if something goes wrong. Simply copy and save your current *.conf file as *.conf_backup:
cp default-ssl.conf default-ssl.conf_backup
Make sure that the Virtual Host has the following directives, with no # in front of them:
SSLEngine on
SSLCertificateFile pointed to the location of the Certificate issued for your domain name
SSLCertificateKeyFile pointed to the location of your Private Key on the server.
SSLCertificateChainFile pointed to the location of the CA-Bundle file.
The Virtual Host for 443 port should look the following way:
<VirtualHost [IP ADDRESS]:443>ServerAdmin webmaster@ssl-tutorials.comDocumentRoot var/wwwServerName www.ssl-tutorials.comErrorLog www/home/logs/error_logSSLEngine onSSLCertificateFile /etc/ssl/ssl-tutorials_com.crtSSLCertificateKeyFile /etc/ssl/ssl-tutorials.keySSLCertificateChainFile /etc/ssl/ssl-tutorials_com.ca-bundle</VirtualHost>
Note: starting from Apache 2.4.8, the SSLCertificateChainFile directive became obsolete. Intermediate Certificates can now be added to the SSLCertificateFile.
Step 4: Enabling OCSP Stapling
OCSP Stapling improves performance by providing the clients with up-to-date status of your certificate.
If you want to enable OCSP Stapling for the website, please add the following directive to the Virtual Host:
SSLUseStapling on
Also specify the OCSP cache response location and size outside of the Virtual Host section, using SSLStaplingCache directive:
SSLStaplingCache shmcb:/tmp/stapling_cache(128000)
Note: OCSP Stapling is only enabled for configuration from Apache HTTP server 2.3.3 and higher.
Step 5: Save & Restart
The process varies depending on the exact Apache configuration that you have:
For Debian-based Apache, you can run this command to test if the new configuration of your Apache service has the proper syntax:
apachectl -t
If the syntax is OK, save your changes in the configuration file and restart Apache using these apachectl commands:
apachectl restart
apachectl stop
apachectl start
For RHEL-based distributive (CentOS, RedHat, etc.), you can check the syntax by running:
httpd -t
If it returns Syntax OK, you can proceed with the Apache restart:
sudo service httpd restart
And this command can be used to see whether the last SSL configuration file was added to the settings (check the *.443: line in output):
httpd -S
-------------------------------- ------XXXXX---------------------------------------------
Install an SSL Certificate on CentOS 8
Step 1: Ensure that mod_ssl is installed on your system
You can check this via the following command:
rpm -qa | grep mod_ssl
If it’s not, install it with
dnf install mod_ssl
Step 2: Create the chain of your SSL certificate
It must include the private key, as well as the root, intermediate and server certificates.
cat pub-key.pem ca-chain.pem > full-chain.pem
Place the PEM file with the SSL chain in the following directory on your Apache server: /etc/pki/tls/certs
Place the private key in the /etc/pki/tls/private/ folder.
Secure your private key by making it inaccessible to other users:
chmod -R 600 /etc/pki/tls/private/
Step 3: Configure the Virtual Host block
In the configuration file for your domain (with .conf extension), insert the following block of code:
SSLEngine on
# The path to the complete chain of your SSL certificate
SSLCertificateFile /etc/pki/tls/certs/full-chain.pem
# The path to the private key
SSLCertificateKeyFile /etc/pki/tls/private/privkey.pem
# The path to the content of your website.
AllowOverride All
# The path to the content of your website
DocumentRoot /var/www/yourdomain.com
# Domain name of your website
ServerName yourdomain.com
ServerAlias yourdomain.com
Replace yourdomain.com with your actual domain name.
If you don’t have a configuration file, create it via
nano /etc/httpd/conf.d/yourdomain.conf
and place it in the /etc/httpd/conf.d/ directory.
Add HTTPS redirects to your .conf file:
ServerName yourdomain.com
ServerAlias www.yourdomain.com
Redirect "/" "https://yourdomain.com/"
Step 4: Save the changes and close the file
Step 5: Restart Apache:
systemctl restart httpd
How to Install an SSL Certificate on CentOS 7 & 6
Step 1: Download the certificates
Download the primary and intermediate certificates that you’ve obtained from your SSL provider
Step 2: Copy your SSL files to your Apache server
Make sure the .key file that you created along the CSR generation is also present on your server
Step 3: Locate and edit the httpd.conf or ssl.conf file in the Apache configuration
Uses the cp and nano commands:
# cp /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/ssl.conf.BAK
# nano /etc/httpd/conf.d/ssl.conf
If one or more files are commented out, remove the # character from the starting line, and enter the absolute path according to your Apache version.
For Apache versions older than the 2.4.8 release have the following directives and path:
SSLCertificateFile – The path of your certificate file
SSLCertificateKeyFile – The path of your key file
SSLCertificateChainFile – The intermediate bundle path.
For Apache version 2.4.8 and higher have the following directives and path:
SSLCertificateFile – The path of your certificate file
SSLCertificateKeyFile – The path of your key file
SSLCertificatePath – The intermediate bundle path.
Here’s an example of your certificates’ absolute file path. You can copy-paste the code below, but make sure to specify the correct names of your files.
SSLCertificateFile /etc/httpd/conf/ssl.crt/your_leaf_certificate.crt SSLCertificateKeyFile /etc/httpd/conf/ssl.key/your_domain_name.key
SSLCACertificatePath /etc/httpd/conf/ssl.chain/your_intermediate_chain.crt
Note: Remember to change the permission of the certificate key file:
# chmod 400 /etc/httpd/conf/ssl.key/your_domain_name.com.key
Step 4: Restart the Apache
------XXXXX-----
- Copy/paste the Certificate files into your server.
Download your SSL Certificate file from your Provider, then paste them into your server’s directory where you will maintain your certificate and key files. Make them possible to read uniquely by root.
2. Install Mod SSL
To install mod_ssl you can check out our installation guide here.
3. Set Up the Certificate
Start by copying your certificate file in /etc/ssl/private
$ mkdir -p /etc/ssl/private
$ chmod 700 /etc/ssl/private
Next is setting up the virtual hosts to showcase the new certificate.
$ sudo vi /etc/httpd/conf.d/ssl.conf
<VirtualHost *:443>
DocumentRoot /var/www/html
ServerName www.example.com
SSLEngine on
SSLCertificateFile /etc/ssl/private/certificate.crt
SSLCertificateKeyFile /etc/ssl/private/private.key
</VirtualHost>
After these edits are completed, save and close the file.
Adjust the file names for them to go with your certificate files:
“SSLCertificateFile” is supposed to be your certificate file (e.g., your_domain_name.crt).
“SSLCertificateKeyFile” is supposed to be the key file generated when you made the CSR.
4. Redirect to HTTPS
To redirect traffic to become SSL encrypted, go ahead and open a file ending in .conf in the /etc/httpd/conf.d directory:
$ sudo vi /etc/httpd/conf/httpd.conf
<VirtualHost *:80>
ServerName www.example.com
Redirect "/" "https://www.example.com/"
</VirtualHost>
Once completed, save and close the file.
5. Verify the config of your Apache before you restart.
$ apachectl configtest
Restart Apache.
$ systemctl restart httpd
You are now ready to use the SSL certificate along with your Apache-SSL server.
------XXXXX-----
SSL Certificate on Apache for CentOS 7
Copy the Certificate files to your server.
Download your SSL Certificate file from your SSL Provider, then copy them to the directory on your server where you will keep your certificate and key files. Make them readable by root only.
2. Install Mod SSL
In order to set up the self-signed certificate, we first have to be sure that mod_ssl, an Apache module that provides support for SSL encryption, is installed the server:
# yum -y install httpd mod_ssl
systemctl enable httpd.service
systemctl start httpd.service
3. Set Up the Certificate
First copy your certificate file in /etc/ssl/private
mkdir -p /etc/ssl/private
chmod 700 /etc/ssl/private
The next thing to do is to set up the virtual hosts to display the new certificate.
# vi /etc/httpd/conf.d/ssl.conf
<VirtualHost *:443>DocumentRoot /var/www/htmlServerName www.example.comSSLEngine onSSLCertificateFile /etc/ssl/private/certificate.crtSSLCertificateKeyFile /etc/ssl/private/private.key</VirtualHost>
When you are finished making these changes, you can save and close the file.
Adjust the file names to match your certificate files:
SSLCertificateFile should be your certificate file (eg. your_domain_name.crt).
SSLCertificateKeyFile should be the key file generated when you created the CSR.
4. Redirect to HTTPS
To redirect all traffic to be SSL encrypted, create and open a file ending in .conf in the /etc/httpd/conf.d directory:
# vi /etc/httpd/conf/httpd.conf
<VirtualHost *:80>
ServerName www.example.com
Redirect "/" "https://www.example.com/"
</VirtualHost>
Save and close this file when you are finished.
5. Test your Apache config before restarting.
apachectl configtest
Restart Apache.
systemctl restart httpd
--- ------XXXXX-----