How to Install SSL Certificate On Centos 7
Publisher: Psychz Networks, February 17,2019You will need access to a CentOS 7 server and If you haven't configured it yet, you can run through the CentOS 7 initial server setup guide. You will also need to have Apache installed in order to configure virtual hosts for it. You can follow the LAMP installation tutorial which will help you with the prerequisites https://www.psychz.net/client/kb/en/installation-of-lamp-stack-on-centos-7.html
In the following tutorial, we will see how to secure Apache Web server in Centos-7 through SSL. We are going to create our own certificate and learn how to configure it. If you want to host a public site with SSL support, then you need to purchase an SSL certificate from a trusted certificate authority.
A Self-signed Certificate is basically signed by the creator of the certificate. It can be used for testing local servers and development environment. Although self-signed certificates provide the same level of security between website and browser, most web browsers will always display a security alert message that the website certificate is self-signed and cannot be trusted, as it is not signed by the certificate authority.
Commercial Certificates are authorised certificate issued by a trusted certificate authority which are highly recommended to be used in a production environment.
In order to set up the self-signed certificate, you will need to install mod_ssl Apache module in your system.
Step 1: Install Mod SSL
mod_ssl is an Apache module that provides support for SSL encryption. It is required to setup self-signed certificate.
# yum install mod_ssl
Once this is done, Apache will be able to start using an SSL certificate after it is restarted.
Step 2: Create a Self-signed Certificate
Now that Apache is ready to use encryption, we can move on to generating a new SSL certificate. While creating the certificate, it will require some basic information about your site, and will be accompanied by a key file that allows the server to securely handle encrypted data.
First, we will create a directory to store our private key (The certificate file is stored in the /etc/ssl/certs directory)
# mkdir /etc/ssl/private
Let us make this directory "private" only accessible to root user for security purposes
# chmod 700 /etc/ssl/private
Let us now create the Certificate along with SSL key. This can be done with "openssl" along with additional
# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/apache-selfsigned.key -out /etc/ssl/certs/apache-selfsigned.crt
- openssl: This is the basic command line tool for creating and managing OpenSSL certificates, keys, and other files.
- req -x509: The "X.509" is a public key infrastructure standard that SSL and TLS adhere to for key and certificate management.
- nodes: This tells OpenSSL to skip the option to secure our certificate with a passphrase. We need Apache to be able to read the file, without user intervention, when the server starts up. A passphrase would prevent this from happening, since we would have to enter it after every restart.
- days 365: This option sets the length of time that the certificate will be considered valid. We set it for one year here.
- newkey rsa:2048: The rsa:2048 portion tells it to make an RSA key that is 2048 bits long. "newkey" specifies that we want to generate a new certificate and a new key at the same time.
- keyout: This line tells OpenSSL where to place the generated private key file that we are creating.
- out: This tells OpenSSL where to place the certificate that we are creating.
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []: John Doe
Locality Name (eg, city) [Default City]: Los Angeles
Organization Name (eg, company) [Default Company Ltd]: Psychz Networks
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []: Demo_server
Email Address []: john.doe@psychz.net
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Both of the files you created will be placed in the appropriate subdirectories of the /etc/ssl directory.
Step 3: Configure Apache to use the SSL Certificate
Now, all the certificates are ready. The next thing to do is to set up Apache to display the new certificates.
You can do this by editing the SSL config file:
# vi /etc/httpd/conf.d/ssl.conf
Find the section that begins with . Uncomment the DocumentRoot and ServerName line and replace example.com with your server's IP address or domain name.
DocumentRoot "/var/www/html"
ServerName www.demo_server.com:443SSLEngine on
Next, find the SSLCertificateFile and SSLCertificateKeyFile lines and update them with the new location of the certificates.
SSLCertificateFile /etc/ssl/certs/apache-selfsigned.crt
SSLCertificateKeyFile /etc/ssl/private/apache-selfsigned.crt.key
After making these changes, restart Apache service for the changes to take effect.
# systemctl restart httpd
Step 4: Test Apache (HTTPS) Server
To verify that the secure Apache HTTPS web server is working, open your web browser and type the URL https://demo_server-ip-address. An error should appear on your browser, and you must manually accept the certificate. The error message shows up because we are using a self-signed certificate instead of certificate signed by a certificate authority that the browser trusts, and the browser is unable to verify the identity of the server that you are trying to connect to. Once you add an exception to the browser's identity verification, you should see a test page for your newly secure site.