Install and configure SSL Certificate on Apache Web Server for CentOS7/RHEL7

Install and configure SSL Certificate on Apache Web server

This article will briefly explain of Self-signed certificates. When you are connecting to a server, your requests and the returned answers are passed from computer to computer. If there is a so-called man in the middle sniffing the traffic – he will be able to see all un-encrypted information in plain-text format.

The main purpose of self-signed certificates and other certificates is to keep information traversing the Internet encrypted, unreadable to everyone except for the intended recipient.

In this article we’re going to be covering how to create a self-signed SSL certificate and assign it to a domain in Apache. Previously we have seen various articles related to Apache Web server, refer below links;

Setting up Simple Web Server on RHEL7/Centos7

Create An Alias Web Site on Apache Web Server

Redirect the Website on Apache Web server

Port based hosting on Apache Web server

Name Based Virtual Web Hosting on Apache

IP Based Virtual Web Hosting

Allow users to change the Content in Document Root

Steps to configure SSL Certificate on Apache Web server

1) Install the package.

The package for SSL is “mod_ssl”, Previously article we have seen how to configure Simple Web Server, refer the link. Setting up Simple Web Server on RHEL7/Centos7 

#yum install  mod_ssl -y

[root@server1 ~]# yum install mod_ssl -y
Loaded plugins: fastestmirror
Centos7                                                                                                                    | 3.6 kB  00:00:00     
Determining fastest mirrors
Resolving Dependencies
--> Running transaction check
---> Package mod_ssl.x86_64 1:2.4.6-40.el7.centos will be installed
--> Finished Dependency Resolution

Dependencies Resolved

. . . . .

Transaction Summary
===========================================================
Install  1 Package

Total download size: 103 k
Installed size: 224 k
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded

2) Create the Self-signed SSL Certificate.

We can create a self-signed SSL certificate using single command like below. But make sure you have installed “mod_ssl” package on your system.

#openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout /etc/pki/tls/certs/ittroubleshooter.key -out /etc/pki/tls/certs/ittroubleshooter.crt

openssl1

As above screenshot we have review the command. This command will run interactively and ask you a number of questions as show below. The certificate and the server key will store on “/etc/pki/tls/certs/” directory, named as “ittroubleshooter.key” and “ittroubleshooter.crt”

[root@server1 ~]# openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout /etc/pki/tls/certs/ittroubleshooter.key -out /etc/pki/tls/certs/ittroubleshooter.crt
Generating a 2048 bit RSA private key
..................+++
.......................................................................+++
writing new private key to '/etc/pki/tls/certs/ittroubleshooter.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:Himachal Pradesh
Locality Name (eg, city) [Default City]:Shimla
Organization Name (eg, company) [Default Company Ltd]:ITCare          
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:server1.ittroubleshooter.in
Email Address []:itcaretraining@gmail.com
[root@server1 ~]#

openssl2

Remember: It is very important that the Common Name be set appropriately. Enter your fully qualified domain name (FQDN) here or, if you don’t have an FQDN, then your site’s IP address.

Now go to “/etc/pki/tls/certs” directory and  change the permission of server key (i.e ittroubleshooter.key). and move the server key to “/etc/pki/tls/private” directory, as shown below.

[root@server1 ~]# cd /etc/pki/tls/certs
[root@server1 certs]# ls -Z ittroubleshooter.key 
-rw-r--r--. root root unconfined_u:object_r:cert_t:s0  ittroubleshooter.key
[root@server1 certs]# chmod 600 ittroubleshooter.key
[root@server1 certs]# ls -Z ittroubleshooter.key 
-rw-------. root root unconfined_u:object_r:cert_t:s0  ittroubleshooter.key
[root@server1 certs]# mv -v ittroubleshooter.key ../private/
‘ittroubleshooter.key’ -> ‘../private/ittroubleshooter.key’
[root@server1 certs]#

3) Add the Self-signed SSL Certificate to Apache.

Go to ““/etc/httpd/conf.d”” directory, create a file named as ittroubleshooterssl.conf (the name doesn’t matter, only the extension should be .conf)

[root@server1 certs]#cd /etc/httpd/conf.d
[root@server1 conf.d]# touch ittroubleshooterssl.conf

Now edit this file by following changes #vim ittroubleshooterssl.conf, as shown below.

<VirtualHost *:443>
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA
SSLHonorCipherOrder     on
SSLCertificateFile /etc/pki/tls/certs/ittroubleshooter.crt
SSLCertificateKeyFile /etc/pki/tls/private/ittroubleshooter.key
ServerName      server1.ittroubleshooter.in
DocumentRoot    /var/www/html/ssl
</VirtualHost>
~
~
~
:wq

openssl3

4) Make a directories and create html files.

In our demonstration we are creating one directory named as “ssl” in document root (i.e /var/www/) and create html file on it, as shown below.

[root@server1 certs]# mkdir -p /var/www/html/ssl
[root@server1 certs]#  cd /var/www/html/ssl/
[root@server1 ssl]# vim index.html

Edit #vim index.html

<html>
<body>
<h1>Welcome to ITTroubleshooter</h1>
###### Secure Web Services ######
</body>
</html>


~
~
:wq

ittroubleshooter_inopenssl5

5) Allow httpd service on firewall.

[root@server1 ssl]# firewall-cmd --permanent --add-port=https/tcp
success
[root@server1 ssl]# firewall-cmd --reload
success
[root@server1 ssl]#

ittroubleshooter_inopenssl6

6) Check the syntax and restart the service of httpd.

Now, Before restart the httpd service check the syntax.

[root@server1 ssl]# httpd -t
Syntax OK
[root@server1 ssl]# systemctl restart httpd
[root@server1 ssl]# systemctl status httpd
 httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
   Active: active (running) since Thu 2016-12-15 02:54:37 EST; 7s ago
     Docs: man:httpd(8)
           man:apachectl(8)
  Process: 2625 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited, status=0/SUCCESS)
 Main PID: 2629 (httpd)
   Status: "Processing requests..."
   CGroup: /system.slice/httpd.service
           ├─2629 /usr/sbin/httpd -DFOREGROUND
           ├─2630 /usr/sbin/httpd -DFOREGROUND
           ├─2631 /usr/sbin/httpd -DFOREGROUND
           ├─2632 /usr/sbin/httpd -DFOREGROUND
           ├─2633 /usr/sbin/httpd -DFOREGROUND
           └─2634 /usr/sbin/httpd -DFOREGROUND

Dec 15 02:54:37 server1.ittroubleshooter.in systemd[1]: Starting The Apache HTTP Server...
Dec 15 02:54:37 server1.ittroubleshooter.in systemd[1]: Started The Apache HTTP Server.
[root@server1 ssl]#

7) Verify the status of ssl web-server on browser.

To see the status of SSL on web-server, open the browser on client machine and pointing to your server’s hostname or IP address, then click on “Advanced” option, show below.

ittroubleshooter_inopenssl7

Then, click on “Add Exception…” option, as show below screen shot.

ittroubleshooter_inopenssl8

Get the certificate by click on “Confirm Security Exception” option to establish the connection.

ittroubleshooter_inopenssl9

Warning: Self-signed certificates are great for testing environments, not for the right option for e-commerce websites. In order to avoid the browser warning message(shown above), the SSL Certificate must be signed by a Certificate Authority(CA).

Now you are connected to your Webserver with SSL encryption.

ittroubleshooter_inopenssl10

Hope this post will help Linux/Unix beginners. Please share you feedback and Comments. Till then connected with us at ittroubleshooter.in .!!!

Leave a Reply

Be the First to Comment!

Notify of
avatar
wpDiscuz