Apache SSL Configuration on CentOS 7


apache ssl configuration centos

TLS/SSL certificates encrypt web traffic and data sent between your web server and users’ client. It not only makes your website more secure but also improves its credibility. Let us look at Apache SSL Configuration on CentOS 7.

 

Apache SSL Configuration on CentOS 7

Here’s the Apache SSL configuration on CentOS 7.

 

Before we begin, please ensure you have installed Apache web server on your CentOS system. Here’s the command to install it


$ sudo yum install httpd

The following command will activate it and autostart it every time you reboot your system


$ sudo systemctl enable httpd.service

 

1. Download SSL Certificate

Next, download the SSL certificate and intermediate certificate issued by a trusted Certificate Authority like Comodo, Norton, Verisign, GeoTrust, etc. Once you place an order on their site, you’ll get them via email.Once you have downloaded the files, copy the SSL certificate (your_domain.crt) and intermediate certificate (e.g CertificateAuthority.crt)

 

2. Create a Certificate Signing Request

Then create a certificate signing request (CSR) using openssl in Linux and submit it to their website. This will allow the Certificate Authority to verify your website’s identity everytime users’ visit your web pages. Here are the steps to create a CSR.

This will give you a private key (e.g private_key.key) that you need to complete the setup.

 

3. Install Mod_SSL

mod_ssl is the Apache module that manages SSL certificates and encryption on your website. Here’s how you can install it


$ sudo yum install mod_ssl

It is automatically enabled after installation and ready to be used.

 

 

 

3. Configure the Certificates

Next, set up virtual hosts for the generated certificates. Open the SSL config file in a text editor


$ sudo vi /etc/httpd/conf.d/ssl.conf

You’ll see a <VirtualHost _default_:443> block at the top. We need to update it to configure SSL certificates.

First, uncomment DocumentRoot and update the location to your website’s root folder (in /var/www/html)

Then uncomment ServerName and replace www.example.com with your domain or IP address


<VirtualHost _default_:443>
. . .
DocumentRoot "/var/www/html"
ServerName www.example.com:443

Then, uncomment or delete the lines starting with SSLProtocol and SSLCipherSuite


. . .
# SSLProtocol all -SSLv2
. . .
# SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA

Next, update SSLCertificateFile and SSLCertificateKeyFile to be the location of your SSL certificate and private key respectively.

Your <VirtualHost> block will look like (update the parts in bold)


<VirtualHost 192.168.0.1:443>
DocumentRoot /var/www/html
ServerName www.yourdomain.com
SSLEngine on
SSLCertificateFile /path/to/your_domain.crt
SSLCertificateKeyFile /path/to/your_private.key
SSLCertificateChainFile /path/to/CertificateAuthority.crt
</VirtualHost>

 

Make sure that:

  • SSLCertificateFile is your certificate file (e.g your_domain.crt)
  • SSLCertificateKeyFile is the private key file you create during the creation of CSR
  • SSLCertificateChainFile is the intermediate file issued by Certificate Authority (e.g CertificateAuthority.crt)

 

 

4. Redirect HTTP to HTTPS (Optional)

Next, we redirect all HTTP traffic to HTTPS. This will ensure all your web traffic is encrypted. This step is recommended but optional.

Create a new config file in /etc/httpd/conf.d:


$ sudo vi /etc/httpd/conf.d/non-ssl.conf

In it, add the following <VirtualHost> block. Use the ServerName directive to be your domain name.

Use Redirect directive to redirect all requests to your domain to its HTTPS version. Replace the part in bold with your domain name.


<VirtualHost *:80>
ServerName www.example.com
Redirect "/" "https://www.example.com/"
</VirtualHost>

Save and close the file.

 

5. Activate the SSL certificate

Now you have generated SSL certificate and set up your website to use it. To enable it, simply test the config file and then restart the server, if there are no errors.

Test the config


$ sudo apachectl configtest

If there are no errors, you’ll see the following message


Output
. . .
Syntax OK

In case of errors, check the syntax of your files and try again.

 

Restart Apache Server


$ sudo systemctl restart httpd.service

 

Sometimes, the HTTP (port 80) and HTTPS (port 443) might be blocked, by default.

You can open them in iptables with the following command


$ sudo iptables -I INPUT -p tcp -m tcp --dport 80 -j ACCEPT
$ sudo iptables -I INPUT -p tcp -m tcp --dport 443 -j ACCEPT

 

Open a browser and go to https://your_domain.com. You will see a green lock in your address bar, indicating that your website is safe. Apache SSL Configuration on CentOS 7 is complete.

About Sreeram Sreenivasan

Sreeram Sreenivasan is the Founder of Ubiq, a business dashboard & reporting platform for small & medium businesses. Ubiq makes it easy to build business dashboards & reports for your business. Try it for free today!