Create SSL Certificate on Apache for CentOS 7
In this article we will learn to Create SSL Certificate on Apache for CentOS 7. As we all knows, nowadays SSL is very important measure, when it comes to security. If we go by its name SSL stands for Secure Socket Layer. So SSL is used for adding security layer to your web application. Earlier SSL was used for domains like Financial, Banking, E-commerce platforms etc. But nowadays, it is becoming norms to use SSL for basic websites for security ressons. Google also promote websites in their search results, which are using SSL.
So here we brings this article, Create SSL Certificate on Apache for CentOS 7. Basically, In this article we will create self-signed ssl certificate.
Note: A self-signed certificate will used for encrypt communication line between your server and any clients. However, because it is not signed by any of the trusted certificate authorities included with web browsers, users cannot use the self-signed certificate to validate the identity of your server automatically.
So what should we have before Create SSL Certificate on Apache for CentOS 7 ?
Before you start to create SSL certificate on Apache for CentOS 7. You must have access to CentOS7 Server with root permisson. From CentOS command line, you can swtich to supur user or accees to root.
$ sudo su
Since, In this article we are using Apache, then its obivious Apache must be installed on CentOS server for creating virtual host. If it is not installed on CentOS server then you can install Apache by using yum command from CentOS software repositories.
$ yum install httpd
After installing the Apache on CentOS server, it needs to be enable as CentOS service. So that next time it will automatically start the Apache service after reboot the CentOS server. You can enable Apache by below command
$ systemctl enable httpd.service
Once all above steps completed on, then you can continue to Create SSL Certificate on Apache for CentOS 7
Step 1: Install Mod SSL
mod_ssl is an Apache module, which proivdes support for SSL encryption. For creating self-signed certificate, we need to install mod_ssl. We can install mod_ssl by below command on CentOS server.
$ yum install mod_ssl
mod_ssl will be enabled automatically during isntallation. You need to restart the Apache service and Apache will be ready to use SSL certificate. You can restart Apache service by below command.
$ systemctl restart httpd.service
Step 2: Create a New Certificate
Now Apache is ready to use encryption by installing mod_ssl. We can now go ahead to install self-signed SSL certificate. SSL certificate requires some basic information about your website will be accompanied by a key file that allows the server to securely handle encrypted data. /etc/ssl/certs is already created on CentOS server to contain certificate files. We have to create new directory location to store our private keys.
$ mkdir /etc/ssl/private
The purpose of creating private directory to keep files strictly private. we will change the permissions of this private directory to make sure only the root user has access.
$ chmod 700 /etc/ssl/private
Now we have created location to place our files, Now we can goahead and create the SSL key and certificate files with openssl by below command
$ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/apache-selfsigned.key -out /etc/ssl/certs/apache-selfsigned.crt
openssl: This is the basic command line tool for creating and managing OpenSSL certificates, keys, and other files.req -x509: This specifies that we want to use X.509 certificate signing request (CSR) management. The “X.509” is a public key infrastructure standard that SSL and TLS adhere to for key and certificate management.
-nodes: This tells OpenSSL to skip the option to secure our certificate with a passphrase. We need Apache to be able to read the file, without user intervention, when the server starts up. A passphrase would prevent this from happening, since we would have to enter it after every restart.
-days 365: This option sets the length of time that the certificate will be considered valid. We set it for one year here.
-newkey rsa:2048: This specifies that we want to generate a new certificate and a new key at the same time. We did not create the key that is required to sign the certificate in a previous step, so we need to create it along with the certificate. The rsa:2048 portion tells it to make an RSA key that is 2048 bits long.
-keyout: This line tells OpenSSL where to place the generated private key file that we are creating.
-out: This tells OpenSSL where to place the certificate that we are creating.
Once enter the above command in server command prompt (we use putty for SSH connection), it will ask basic information about your website. You should be very careful while entering details. The most important detail is common name. You have to enter the domain name (without http and www for example: yourdomain.com) that will be associated with your server. You can also enter IP address as common name. The list of details will prompt like below.
Country Name (2 letter code) [XX]:US
State or Province Name (full name) :State Name
Locality Name (eg, city) [Default City]:City Name
Organization Name (eg, company) [Default Company Ltd]:Your Company Inc
Organizational Unit Name (eg, section) :Organization Name
Common Name (eg, your name or your server’s hostname) :yourdomain.com
Email Address :email@example.com.
After filling all the details, certificate file and private key file will be created under associated directory.
As we are growing and improving day by day in technologies, the security is being big concern in web world. Since we are using openssl, we will create a strong Diffie-Hellman group, which is used in negotiating Perfect Forward Secrecy (https://en.wikipedia.org/wiki/Forward_secrecy) with clients.
We can do this by belwo command.
$ openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
When this will be completed,it will create strong DH group at /etc/ssl/certs/dhparam.pem
Step 3: Set Up the Certificate
Now we have all the required files and keys to setup SSL self-signed certificate. The next step to setup virtual host to display new SSL certificate.Open ssl configuration in editor in shell by below command line.
$ vi /etc/httpd/conf.d/ssl.conf
Since SSL(HTTPS) requests listen to port 443. In the ssl.conf, find the line that begins with <VirtualHost _default_:443>. We will make necessary change to run the website with HTTPS. After reaching to the line, uncomment the DocumnetRoot line and change the path to the directory from where application runs like /home/public_html or /var/www/html. After this you have to uncomment the ServerName line and replace the www.example.com with your domain name or server IP address, which you have put as common name in certificate.
<VirtualHost _default_:443>. . .DocumentRoot "/var/www/html"
Next, find the SSLProtocol and SSLCipherSuite lines and comment them out.
/etc/httpd/conf.d/ssl.conf. . .
# SSLProtocol all -SSLv2. . .
# SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA
Here we go, Now we need to do the final step to add the file path to SSLCertificateFile and SSLCertificateKeyFile.
Find the SSLCertificateFile and SSLCertificateKeyFile line in ssl.conf and change the path to the directory where our certificate files and private keys are stored.
That’s all. we have done with SSL certificate settings. You can save and close the file.
Step 4: Activate the Certificate
To activate all of these changes and start using your SSL encryption, you need restart the Apache server in order to reload SSL configurations and related modules.
Restart the Apache server using below command line:
$ systemctl restart httpd.service
That’s it. In your web browser, try visiting your domain name or IP with https:// to see your new certificate in action.
When first time it loads in your browser then browser will showing warning that security certificate is not trusted. As we know that we have created self-signed certificate. So we can go ahead and add an exception to the browser’s identity verification. Now you will be able to access your website using SSL.