TLS/SSL certificates encrypt web traffic and data sent between your web server and users’ client. It not only makes your website more secure but also improves its credibility. Let us look at Apache SSL Configuration on CentOS 7.
Apache SSL Configuration on CentOS 7
Here’s the Apache SSL configuration on CentOS 7.
Before we begin, please ensure you have installed Apache web server on your CentOS system. Here’s the command to install it
$ sudo yum install httpd
The following command will activate it and autostart it every time you reboot your system
$ sudo systemctl enable httpd.service
1. Download SSL Certificate
Next, download the SSL certificate and intermediate certificate issued by a trusted Certificate Authority like Comodo, Norton, Verisign, GeoTrust, etc. Once you place an order on their site, you’ll get them via email.Once you have downloaded the files, copy the SSL certificate (your_domain.crt) and intermediate certificate (e.g CertificateAuthority.crt)
2. Create a Certificate Signing Request
Then create a certificate signing request (CSR) using openssl in Linux and submit it to their website. This will allow the Certificate Authority to verify your website’s identity everytime users’ visit your web pages. Here are the steps to create a CSR.
This will give you a private key (e.g private_key.key) that you need to complete the setup.
3. Install Mod_SSL
mod_ssl is the Apache module that manages SSL certificates and encryption on your website. Here’s how you can install it
$ sudo yum install mod_ssl
It is automatically enabled after installation and ready to be used.
3. Configure the Certificates
Next, set up virtual hosts for the generated certificates. Open the SSL config file in a text editor
$ sudo vi /etc/httpd/conf.d/ssl.conf
You’ll see a <VirtualHost _default_:443> block at the top. We need to update it to configure SSL certificates.
First, uncomment DocumentRoot and update the location to your website’s root folder (in /var/www/html)
Then uncomment ServerName and replace www.example.com with your domain or IP address
<VirtualHost _default_:443> . . . DocumentRoot "/var/www/html" ServerName www.example.com:443
Then, uncomment or delete the lines starting with SSLProtocol and SSLCipherSuite
. . . # SSLProtocol all -SSLv2 . . . # SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA
Next, update SSLCertificateFile and SSLCertificateKeyFile to be the location of your SSL certificate and private key respectively.
Your <VirtualHost> block will look like (update the parts in bold)
<VirtualHost 192.168.0.1:443> DocumentRoot /var/www/html ServerName www.yourdomain.com SSLEngine on SSLCertificateFile /path/to/your_domain.crt SSLCertificateKeyFile /path/to/your_private.key SSLCertificateChainFile /path/to/CertificateAuthority.crt </VirtualHost>
Make sure that:
- SSLCertificateFile is your certificate file (e.g your_domain.crt)
- SSLCertificateKeyFile is the private key file you create during the creation of CSR
- SSLCertificateChainFile is the intermediate file issued by Certificate Authority (e.g CertificateAuthority.crt)
4. Redirect HTTP to HTTPS (Optional)
Next, we redirect all HTTP traffic to HTTPS. This will ensure all your web traffic is encrypted. This step is recommended but optional.
Create a new config file in /etc/httpd/conf.d:
$ sudo vi /etc/httpd/conf.d/non-ssl.conf
In it, add the following <VirtualHost> block. Use the ServerName directive to be your domain name.
Use Redirect directive to redirect all requests to your domain to its HTTPS version. Replace the part in bold with your domain name.
<VirtualHost *:80> ServerName www.example.com Redirect "/" "https://www.example.com/" </VirtualHost>
Save and close the file.
5. Activate the SSL certificate
Now you have generated SSL certificate and set up your website to use it. To enable it, simply test the config file and then restart the server, if there are no errors.
Test the config
$ sudo apachectl configtest
If there are no errors, you’ll see the following message
Output . . . Syntax OK
In case of errors, check the syntax of your files and try again.
Restart Apache Server
$ sudo systemctl restart httpd.service
Sometimes, the HTTP (port 80) and HTTPS (port 443) might be blocked, by default.
You can open them in iptables with the following command
$ sudo iptables -I INPUT -p tcp -m tcp --dport 80 -j ACCEPT $ sudo iptables -I INPUT -p tcp -m tcp --dport 443 -j ACCEPT
Open a browser and go to https://your_domain.com. You will see a green lock in your address bar, indicating that your website is safe. Apache SSL Configuration on CentOS 7 is complete.