Installing a Self-Signed SSL on Apache with CentOS 7
We've created a step-by-step process to help you get your SSL running. If you prefer to read this version on our blog, here is the link.
Prerequisites
In order to install a self-signed SSL certificate on Apache, you must install Apache first by typing out the following command:
#yum install httpd
Then to enable Apache after every reboot, run the following command:
#systemctl enable httpd.service
Installing mod SSL
Without this Apache module, we will not be able to have a self-signed certificate as it helps support the encryption that the SSL provides us. So, we must do so by entering the following:
#yum install mod_ssl
Creating a new SSL Certificate
Once Apache is ready to support the new SSL, it is time to generate a new certificate. Before we generate it, we will have to make a new directory. Note that /etc/ssl/certs is already available for us to hold the certificate file. So, let’s go ahead and make a new directory:
#mkdir /etc/ssl/private
Since we want this directory to be private with only root access, we must change the permissions:
#chmod 700 /etc/ssl/private
To generate and create a key to a newly added directory, enter the following in one continuous line:
#openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/apache-selfsigned.key -out /etc/ssl/certs/apache-selfsigned.crt
This will prompt you to enter your information such as country, province/state, common name, email, etc.
Note: “Common Name” will be important. You need to enter either your hostname/domain or IP if you have not registered a domain name.
After you have generated a new certificate, run the following to have an even more secure encryption with the Diffie-Hellman algorithm. This may take a moment to complete:
#openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
Manually add both the certificates into apache-selfsigned.crt:
#cat /etc/ssl/certs/dhparam.pem | sudo tee -a /etc/ssl/certs/apache-selfsigned.crt
To double check, view apache-selfsigned.crt. You should be able to see two certificates:
#cat /etc/ssl/certs/apache-selfsigned.crt
Setting up the SSL
Open Apache’s config file using any text editor you wish. Here we are using vi:
#vi /etc/httpd/conf.d/ssl.conf
Find the line where it says <VirtualHost _default_:443> and uncomment the two red lines as below:
# General setup for the virtual host, inherited from global configuration
DocumentRoot “/var/www/html”
ServerName www.example.com:443
Note: place your own document root directory here. If you do not have a document root set up, by default, it will be /var/www/html. As for server name, if you do not yet have a domain, you can type out your server’s IP here with the HTTPS port (443) at the end.
Next, find the two lines below and comment them out in the same file:
#SSLProtocol all -SSLv2 -SSLv3
#SSLCipherSuite HIGH:3DES:!aNULL:!MD5:!SEED:!IDEA
After, we will be placing the new directories that we have created for the two keys earlier:
SSLCertificateFile /etc/ssl/certs/apache-selfsigned.crt
SSLCertificateKeyFile /etc/ssl/private/apache-selfsigned.key
Note: if you have a line that has “SSLSessionTickets Off”, be sure to comment this out as CentOS 7 does not support this.
After, paste the following outside of </VirtualHost>, which is most likely at the end of the config file:
</VirtualHost>
#
# Begin copied text
# from https://cipherli.st/
# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
# Disable preloading HSTS for now. You can use the commented out header line that includes
# the “preload” directive if you understand the implications.
#Header always set Strict-Transport-Security “max-age=63072000; includeSubdomains; preload”
Header always set Strict-Transport-Security “max-age=63072000; includeSubdomains”
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
# Requires Apache >= 2.4
SSLCompression off
SSLUseStapling on
SSLStaplingCache “shmcb:logs/stapling-cache(150000)”
# Requires Apache >= 2.4.11
# SSLSessionTickets Off
Once this is done, save and exit the file.
Redirecting HTTP to HTTPS
It is recommended and more secure to redirect HTTP to HTTPS, however, this is not required and entirely up to you. If you do not redirect, this will mean both HTTP and HTTPS can be applied to your server. If you would like to do this, you will need to do the following:
Create a non-ssl config file:
#vi /etc/httpd/conf.d/non-ssl.conf
Enter the following in order to have your HTTP site redirect to HTTPS:
<VirtualHost *:80>ServerName www.example.com Redirect “/” “https://www.example.com/”</VirtualHost>
Save and exit the file once this is completed.
Activating your SSL Certificate
To be diligent and check for any errors in our config files, run the following to test if all syntax is okay.
#apachectl configtest
Once everything seems great, we must restart Apache to apply the changes that we have made:
#systemctl restart httpd.service
Lastly, we’ll need to update our iptables by adding the two rules:
#iptables -I INPUT -p tcp -m tcp –dport 80 -j ACCEPT
#sudo iptables -I INPUT -p tcp -m tcp –dport 443 -j ACCEPT
To test your server, open your browser and enter the IP/domain. It should redirect to HTTPS with a security-warning page. Once you click advanced and proceed, you will see the URL box. This is normal, as it is a self-signed certificate and not a browser-trusted certificate such the commercial SSL certificates we offer.
After completing all of the required steps, you’re good to go!
Having trouble? Contact us and our team will be happy to help.
