SSL on Centos 7 with Apache 2
I jacked this from
https://www.digitalocean.com/community/tutorials/how-to-create-an-ssl-certificate-on-apache-for-centos-7
Step One — Install Mod SSL
In order to set up the self-signed certificate, we first
have to be sure that mod_ssl, an Apache module that provides support for SSL
encryption, is installed on our VPS. We can install mod_ssl with the yum
command:
yum install mod_ssl
The module will automatically be enabled during
installation, and Apache will be able to start using an SSL certificate after
it is restarted. You don't need to take any additional steps for mod_ssl to be
ready for use.
Step Two — Create a New Certificate
Now that Apache is ready to use encryption, we can move on
to generating a new SSL certificate. The certificate will store some basic
information about your site, and will be accompanied by a key file that allows
the server to securely handle encrypted data.
First, we need to create a new directory where we will store
the server key and certificate:
mkdir /etc/httpd/ssl
Now that we have a location to place our files, we can
create the SSL key and certificate files with openssl:
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout
/etc/httpd/ssl/apache.key -out /etc/httpd/ssl/apache.crt
After you enter the request, you will be taken to a prompt
where you can enter information about your website. Before we go over that,
let's take a look at what is happening in the command we are issuing:
openssl: This is
the basic command line tool for creating and managing OpenSSL certificates,
keys, and other files.
req -x509: This
specifies that we want to use X.509 certificate signing request (CSR)
management. The "X.509" is a public key infrastructure standard that
SSL and TLS adhere to for key and certificate management.
-nodes: This tells
OpenSSL to skip the option to secure our certificate with a passphrase. We need
Apache to be able to read the file, without user intervention, when the server
starts up. A passphrase would prevent this from happening, since we would have
to enter it after every restart.
-days 365: This
option sets the length of time that the certificate will be considered valid.
We set it for one year here.
-newkey rsa:2048:
This specifies that we want to generate a new certificate and a new key at the
same time. We did not create the key that is required to sign the certificate
in a previous step, so we need to create it along with the certificate. The
rsa:2048 portion tells it to make an RSA key that is 2048 bits long.
-keyout: This line
tells OpenSSL where to place the generated private key file that we are
creating.
-out: This tells
OpenSSL where to place the certificate that we are creating.
Fill out the prompts appropriately. The most important line
is the one that requests the Common Name. You need to enter the domain name
that you want to be associated with your server. You can enter the public IP
address instead if you do not have a domain name.
The full list of prompts will look something like this:
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:Example
Locality Name (eg, city) [Default City]:Example
Organization Name (eg, company) [Default Company Ltd]:Example
Inc
Organizational Unit Name (eg, section) []:Example Dept
Common Name (eg, your name or your server's hostname)
[]:example.com
Email Address []:webmaster@example.com
Step Three — Set Up the Certificate
We now have all of the required components of the finished
interface. The next thing to do is to set up the virtual hosts to display the
new certificate.
Open Apache's SSL configuration file in your text editor
with root privileges:
vi /etc/httpd/conf.d/ssl.conf
Find the section that begins with <VirtualHost
_default_:443>. We need to make a few changes here to ensure that our SSL
certificate is correctly applied to our site.
First, uncomment the DocumentRoot line and edit the address
in quotes to the location of your site's document root. By default, this will
be in /var/www/html, and you don't need to change this line if you have not
changed the document root for your site. However, if you followed a guide like
our Apache virtual hosts setup guide, your site's document root may be
different.
DocumentRoot "/var/www/example.com/public_html"
Next, uncomment the ServerName line and replace
www.example.com with your domain name or server IP address (whichever one you
put as the common name in your certificate):
ServerName
www.example.com:443
Find the SSLCertificateFile and SSLCertificateKeyFile lines
and change them to the directory we made at /etc/httpd/ssl:
SSLCertificateFile /etc/httpd/ssl/apache.crt
SSLCertificateKeyFile /etc/httpd/ssl/apache.key
When you are finished making these changes, you can save and
close the file.
Step Four — Activate the Certificate
By now, you have created an SSL certificate and configured
your web server to apply it to your site. To apply all of these changes and start
using your SSL encryption, you can restart the Apache server to reload its
configurations and modules:
apachectl restart
In your web browser, try visiting your domain name or IP
with https:// to see your new certificate in action.
https://example.com/
Your web browser will likely warn you that the site's
security certificate is not trusted. Since your certificate isn't signed by a
certificate authority that the browser trusts, the browser is unable to verify
the identity of the server that you are trying to connect to. We created a
self-signed certificate instead of a trusted CA-signed certificate, so this
makes perfect sense.
Once you add an exception to the browser's identity
verification, you will be allowed to proceed to your newly secured site.
No comments:
Post a Comment