Installing a Self-Signed SSL on Apache with CentOS 7

We've created a step-by-step process to help you get your SSL running. If you prefer to read this version on our blog, here is the link.

Prerequisites

In order to install a self-signed SSL certificate on Apache, you must install Apache first by typing out the following command:

#yum install httpd

Then to enable Apache after every reboot, run the following command:

#systemctl enable httpd.service

Installing mod SSL 

Without this Apache module, we will not be able to have a self-signed certificate as it helps support the encryption that the SSL provides us. So, we must do so by entering the following:

#yum install mod_ssl

Creating a new SSL Certificate

Once Apache is ready to support the new SSL, it is time to generate a new certificate. Before we generate it, we will have to make a new directory. Note that /etc/ssl/certs is already available for us to hold the certificate file. So, let’s go ahead and make a new directory:

#mkdir /etc/ssl/private

Since we want this directory to be private with only root access, we must change the permissions:

#chmod 700 /etc/ssl/private

To generate and create a key to a newly added directory, enter the following in one continuous line:

#openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/apache-selfsigned.key -out /etc/ssl/certs/apache-selfsigned.crt

This will prompt you to enter your information such as country, province/state, common name, email, etc.

Note: “Common Name” will be important. You need to enter either your hostname/domain or IP if you have not registered a domain name.

After you have generated a new certificate, run the following to have an even more secure encryption with the Diffie-Hellman algorithm. This may take a moment to complete:

#openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

Manually add both the certificates into apache-selfsigned.crt:

#cat /etc/ssl/certs/dhparam.pem | sudo tee -a /etc/ssl/certs/apache-selfsigned.crt

To double check, view apache-selfsigned.crt. You should be able to see two certificates:

#cat /etc/ssl/certs/apache-selfsigned.crt

Setting up the SSL

Open Apache’s config file using any text editor you wish. Here we are using vi:

#vi /etc/httpd/conf.d/ssl.conf

Find the line where it says <VirtualHost _default_:443> and uncomment the two red lines as below:

# General setup for the virtual host, inherited from global configuration
DocumentRoot “/var/www/html”
ServerName www.example.com:443

Note: place your own document root directory here. If you do not have a document root set up, by default, it will be /var/www/html.  As for server name, if you do not yet have a domain, you can type out your server’s IP here with the HTTPS port (443) at the end.

Next, find the two lines below and comment them out in the same file:

#SSLProtocol all -SSLv2 -SSLv3
#SSLCipherSuite HIGH:3DES:!aNULL:!MD5:!SEED:!IDEA

After, we will be placing the new directories that we have created for the two keys earlier:

SSLCertificateFile /etc/ssl/certs/apache-selfsigned.crt
SSLCertificateKeyFile /etc/ssl/private/apache-selfsigned.key

Note: if you have a line that has “SSLSessionTickets Off”, be sure to comment this out as CentOS 7 does not support this.

After, paste the following outside of </VirtualHost>, which is most likely at the end of the config file:

</VirtualHost>
#
# Begin copied text
# from https://cipherli.st/
# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
# Disable preloading HSTS for now.  You can use the commented out header line that includes
# the “preload” directive if you understand the implications.
#Header always set Strict-Transport-Security “max-age=63072000; includeSubdomains; preload”
Header always set Strict-Transport-Security “max-age=63072000; includeSubdomains”
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
# Requires Apache >= 2.4
SSLCompression off
SSLUseStapling on
SSLStaplingCache “shmcb:logs/stapling-cache(150000)”
# Requires Apache >= 2.4.11
# SSLSessionTickets Off

Once this is done, save and exit the file. 

Redirecting HTTP to HTTPS

It is recommended and more secure to redirect HTTP to HTTPS, however, this is not required and entirely up to you. If you do not redirect, this will mean both HTTP and HTTPS can be applied to your server. If you would like to do this, you will need to do the following:

Create a non-ssl config file:

#vi /etc/httpd/conf.d/non-ssl.conf

 Enter the following in order to have your HTTP site redirect to HTTPS:

<VirtualHost *:80>ServerName www.example.com Redirect “/” “https://www.example.com/”</VirtualHost>

Save and exit the file once this is completed.

Activating your SSL Certificate

To be diligent and check for any errors in our config files, run the following to test if all syntax is okay.

#apachectl configtest

Once everything seems great, we must restart Apache to apply the changes that we have made:

#systemctl restart httpd.service

Lastly, we’ll need to update our iptables by adding the two rules:

#iptables -I INPUT -p tcp -m tcp –dport 80 -j ACCEPT
#sudo iptables -I INPUT -p tcp -m tcp –dport 443 -j ACCEPT

To test your server, open your browser and enter the IP/domain. It should redirect to HTTPS with a security-warning page. Once you click advanced and proceed, you will see the URL box. This is normal, as it is a self-signed certificate and not a browser-trusted certificate such the commercial SSL certificates we offer.

After completing all of the required steps, you’re good to go!

Having trouble? Contact us and our team will be happy to help.


How did we do?