An SSL certificate is an electronic ‘document’ that is used to bind together a public security key and a website’s identity information (such as name, location, etc.) by means of a digital signature. The ‘document’ is issued by a certificate provider such as GlobalSign, Verisign, GoDaddy, Comodo, Thawte, and others.
In this article I will show how to generate self-signed certificate for Apache on CentOS. Please note that self-signed certificate does encrypt communication between your server and any clients. However, because it is not signed by any of the trusted certificate authorities included with web browsers, it’s not trusted by browsers by default and can’t be used to verify the identity of your server.
Prerequisites:
-
- root account or
sudorights - Apache installed and mod_ssl installed:
- root account or
|
1 |
sudo yum -y install httpd mod_ssl |
Next, enable Apache as a CentOS service so that it will automatically start after a reboot:
|
1 |
sudo systemctl enable httpd.service |
Create SSL Certificate
Create a new directory to store private key (the /etc/ssl/certs directory is already available to hold our certificate file):
|
1 |
sudo mkdir /etc/ssl/private |
Since files kept within this directory must be kept strictly private, modify the permissions to make sure only the root user has access:
|
1 |
sudo chmod 700 /etc/ssl/private |
Now that we have a location to place our files, we can create the SSL key and certificate files with openssl:
|
1 |
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/apache-selfsigned.key -out /etc/ssl/certs/apache-selfsigned.crt |
After you enter the request, you will be taken to a prompt where you can enter information about your website. Before we go over that, let’s take a look at what is happening in the command we are issuing:
- openssl: This is the basic command line tool for creating and managing OpenSSL certificates, keys, and other files.
- req -x509: This specifies that we want to use X.509 certificate signing request (CSR) management. The “X.509” is a public key infrastructure standard that SSL and TLS adhere to for key and certificate management.
- -nodes: This tells OpenSSL to skip the option to secure our certificate with a passphrase. We need Apache to be able to read the file, without user intervention, when the server starts up. A passphrase would prevent this from happening, since we would have to enter it after every restart.
- -days 365: This option sets the length of time that the certificate will be considered valid. We set it for one year here.
- -newkey rsa:2048: This specifies that we want to generate a new certificate and a new key at the same time. We did not create the key that is required to sign the certificate in a previous step, so we need to create it along with the certificate. The rsa:2048 portion tells it to make an RSA key that is 2048 bits long.
- -keyout: This line tells OpenSSL where to place the generated private key file that we are creating.
- -out: This tells OpenSSL where to place the certificate that we are creating.
Fill out the prompts appropriately. The most important line is the one that requests the Common Name. You need to enter the domain name that you want to be associated with your server. You can enter the public IP address instead if you do not have a domain name.
The full list of prompts will look something like this:
|
1 2 3 4 5 6 7 |
Country Name (2 letter code) [XX]:UA State or Province Name (full name) []:Example Locality Name (eg, city) [Default City]:Example Organization Name (eg, company) [Default Company Ltd]:Example Inc Organizational Unit Name (eg, section) []:Example Dept Common Name (eg, your name or your server's hostname) []:example.com Email Address []:webmaster@example.com |
Both of the files you created will be placed in the appropriate subdirectories of the /etc/ssl directory.
While we are using OpenSSL, we should also create a strong Diffie-Hellman group, which is used in negotiating Perfect Forward Secrecy with clients.
We can do this by typing:
|
1 |
sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048 |
This may take a few minutes, but when it’s done you will have a strong DH group at /etc/ssl/certs/dhparam.pem that we can use in our configuration.
Since the version of Apache that ships with CentOS 7 does not include the SSLOpenSSLConfCmd directive, we will have to manually append the generated file to the end of our self-signed certificate. To do this, type:
|
1 |
cat /etc/ssl/certs/dhparam.pem | sudo tee -a /etc/ssl/certs/apache-selfsigned.crt |
The apache-selfsigned.crt file should now have both the certificate and the generated Diffie-Hellman group.
Set up Certificate in Apache
Open Apache’s SSL configuration file in your text editor with root privileges:
sudo vi /etc/httpd/conf.d/ssl.conf
Find the section that begins with <VirtualHost _default_:443>
First, uncomment the DocumentRoot line and edit the address in quotes to the location of your site’s document root. By default, this will be in /var/www/html, and you don’t need to change this line if you have not changed the document root for your site. However, if you followed a guide like our Apache virtual hosts setup guide, your site’s document root may be different.
Next, uncomment the ServerName line and replace www.example.com with your domain name or server IP address (whichever one you put as the common name in your certificate):
/etc/httpd/conf.d/ssl.conf
. . .
|
1 2 |
DocumentRoot "/var/www/example.com/public_html" ServerName www.example.com:443 |
Next, find the SSLProtocol and SSLCipherSuite lines and either delete them or comment them out. The configuration we be pasting in a moment will offer more secure settings than the default included with CentOS’s Apache:
/etc/httpd/conf.d/ssl.conf
|
1 2 3 4 |
. . . # SSLProtocol all -SSLv2 . . . # SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA |
Find the SSLCertificateFile and SSLCertificateKeyFile lines and change them to the directory we made at /etc/httpd/ssl:
/etc/httpd/conf.d/ssl.conf
|
1 2 |
SSLCertificateFile /etc/ssl/certs/apache-selfsigned.crt SSLCertificateKeyFile /etc/ssl/private/apache-selfsigned.key |
We’re now done with the changes within the actual VirtualHost block. The next changes will take place after the ending tag within this same file.
Setting Up Secure SSL Parameters
This is an optional step however is highly recommended.
Take a moment to read up on HTTP Strict Transport Security, or HSTS, and specifically about the “preload” functionality. Preloading HSTS provides increased security, but can have far reaching consequences if accidentally enabled or enabled incorrectly. In this guide, we will not preload the settings, but you can modify that if you are sure you understand the implications.
The other change we will make is to comment out the SSLSessionTickets directive, since this isn’t available in the version of Apache shipped with CentOS 7.
Paste in the settings from the site AFTER the end of the VirtualHost block:
/etc/httpd/conf.d/ssl.conf
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
. . . . . . # Begin copied text # from https://cipherli.st/ # and https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH SSLProtocol All -SSLv2 -SSLv3 SSLHonorCipherOrder On # Disable preloading HSTS for now. You can use the commented out header line that includes # the "preload" directive if you understand the implications. #Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains" Header always set X-Frame-Options DENY Header always set X-Content-Type-Options nosniff # Requires Apache >= 2.4 SSLCompression off SSLUseStapling on SSLStaplingCache "shmcb:logs/stapling-cache(150000)" # Requires Apache >= 2.4.11 # SSLSessionTickets Off |
When you are finished making these changes, save and close the file.
Redirect HTTP to HTTPS in Apache (optional)
Now the server will provide both unencrypted HTTP and encrypted HTTPS traffic. For better security, it is recommended to redirect HTTP to HTTPS automatically. Use this guide: Redirect HTTP to HTTPS in Apache
Activate Certificate
First, check your configuration file for syntax errors by typing:
|
1 |
sudo apachectl configtest |
As long as the output ends with Syntax OK, you are safe to continue.
Restart the Apache server to apply your changes by typing:
|
1 |
sudo systemctl restart httpd.service |
Next, make sure port 80 and 443 are open in your firewall. If you are not running a firewall, you can skip ahead.
If you have a firewalld firewall running, you can open these ports by typing:
|
1 2 3 |
sudo firewall-cmd --add-service=http sudo firewall-cmd --add-service=https sudo firewall-cmd --runtime-to-permanent |
If have an iptables firewall running, the commands you need to run are highly dependent on your current rule set. For a basic rule set, you can add HTTP and HTTPS access by typing:
|
1 2 |
sudo iptables -I INPUT -p tcp -m tcp --dport 80 -j ACCEPT sudo iptables -I INPUT -p tcp -m tcp --dport 443 -j ACCEPT |
In your web browser, try visiting your domain name or IP with https:// to see your new certificate in action.
https://example.com/
Your web browser will likely warn you that the site’s security certificate is not trusted. Since your certificate isn’t signed by a certificate authority that the browser trusts, the browser is unable to verify the identity of the server that you are trying to connect to.
Once you add an exception to the browser’s identity verification, you will be allowed to proceed to your newly secured site.
