Adding SSL Certificate to Apache Web Server (CentOS)3 min read

A SSL certificate is required to allow secure communication between the web browser and web server. A self signed certificate can be used. However, users will have to accept the security exception when informed of the unsigned certificate.

An alternate method would be to obtain a commercially signed certificate. The following steps outline how you can add a commercial SSL certificate to an Apache web server using the CentOS operating system.

Step One: Before you can proceed with installing a SSL you must ensure MOD SSL is installed. You can verify this by executing the following command:

 yum list installed | grep mod

If it is not installed run the following installation command:

yum install mod_ssl

Step Two: Now you can generate the new certificate. You must first create the directory for the new certificate.

mkdir /etc/ssl

Then create the certificate with OpenSSL:

openssl req -new -newkey rsa:2048 -nodes -sha256 -days 365 -keyout /etc/pki/tls/private/ -out
  • -nodes: instructs OpenSSL to create a certificate that does not require a passphrase. If this option is excluded, you will be required to enter the the passphrase in the console each time the application using it is restarted.
  • -days: determines the length of time in days that the certificate is being issued for. In this case 365 was used because a one year SSL certificate verification from a commercial certificate authority (CA) was purchased.
  • -rsa: allows you to specify the size of the RSA key. Here 2048 bits was chosen because it is the recommended minimum size.
  • -sha256: ensures that the certificate request is generated using 256-bit SHA (Secure Hash Algorithm).

You will need to use the generated CSR file for requesting your signed certificate.

Step Three: The third step is to request your signed certificate. To obtain the SSL you must first decide what type of SSL Certificate you need. For a single domain in which you just want a secure connection a standard SSL certificate is acceptable. You can purchase the standard SSL for as little as $7.99/yr from Starfield Technologies.

After purchasing your SSL you will need to follow their instructions for setting up the certificate. The setup will require the CSR previously generated.

Step Four: Once you have obtained your signed certificate you will need  to install your certificate on the web server. Create a ssl directory in the website root directory:

mkdir /path/to/root/ssl

Now copy the provided certificate and chain file to this directory. You will next need to modify the ssl.conf file.

vi /etc/httpd/conf.d/ssl.conf
  • Change the Virtual host to:
<VirtualHost *:443>
  • Add the server certificate path:
SSLCertificateFile /path/to/certificate/somecert.crt
  • Add the server private key:
SSLCertificateKeyFile /path/to/key/some.key
  • Update the chain file:
SSLCertificateChainFile /path/to/chainfile/some.crt
  • Modify the .conf file for your web site by adding the following:
<VirtualHost *:443>
 ServerName <your_server_name>
 ServerAdmin none
 DocumentRoot <your_server_root>
 ErrorLog <Path_to_logs>

 # SSL Engine Switch:
 # Enable/Disable SSL for this virtual host.
 SSLEngine on

 SSLCertificateFile <path_to_cert>
 SSLCertificateKeyFile <path_to_key>
 SSLCertificateChainFile <path_to_cert>
  • To force your users to https you can add a redirect to the port 80 VirtualHost tag:
Redirect / https://<web_site>/

Once these steps are completed you will need to restart Apache:

systemctl restart httpd

Now you should be able to access the web site and see the secure symbol provided by your browser.

Leave a Reply

Your email address will not be published.