A SSL certificate is required to allow secure communication between the web browser and web server. A self signed certificate can be used. However, users will have to accept the security exception when informed of the unsigned certificate.
An alternate method would be to obtain a commercially signed certificate. The following steps outline how you can add a commercial SSL certificate to an Apache web server using the CentOS operating system.
Step One: Before you can proceed with installing a SSL you must ensure MOD SSL is installed. You can verify this by executing the following command:
yum list installed | grep mod
If it is not installed run the following installation command:
yum install mod_ssl
Step Two: Now you can generate the new certificate. You must first create the directory for the new certificate.
Then create the certificate with OpenSSL:
openssl req -new -newkey rsa:2048 -nodes -sha256 -days 365 -keyout /etc/pki/tls/private/example.com.key -out example.com.csr
- -nodes: instructs OpenSSL to create a certificate that does not require a passphrase. If this option is excluded, you will be required to enter the the passphrase in the console each time the application using it is restarted.
- -days: determines the length of time in days that the certificate is being issued for. In this case 365 was used because a one year SSL certificate verification from a commercial certificate authority (CA) was purchased.
- -rsa: allows you to specify the size of the RSA key. Here 2048 bits was chosen because it is the recommended minimum size.
- -sha256: ensures that the certificate request is generated using 256-bit SHA (Secure Hash Algorithm).
You will need to use the generated CSR file for requesting your signed certificate.
Step Three: The third step is to request your signed certificate. To obtain the SSL you must first decide what type of SSL Certificate you need. For a single domain in which you just want a secure connection a standard SSL certificate is acceptable. You can purchase the standard SSL for as little as $7.99/yr from Starfield Technologies.
After purchasing your SSL you will need to follow their instructions for setting up the certificate. The setup will require the CSR previously generated.
Step Four: Once you have obtained your signed certificate you will need to install your certificate on the web server. Create a ssl directory in the website root directory:
Now copy the provided certificate and chain file to this directory. You will next need to modify the ssl.conf file.
- Change the Virtual host to:
- Add the server certificate path:
- Add the server private key:
- Update the chain file:
- Modify the .conf file for your web site by adding the following:
<VirtualHost *:443> ServerName <your_server_name> ServerAdmin none DocumentRoot <your_server_root> ErrorLog <Path_to_logs> # SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on SSLCertificateFile <path_to_cert> SSLCertificateKeyFile <path_to_key> SSLCertificateChainFile <path_to_cert> </VirtualHost>
- To force your users to https you can add a redirect to the port 80 VirtualHost tag:
Redirect / https://<web_site>/
Once these steps are completed you will need to restart Apache:
systemctl restart httpd
Now you should be able to access the web site and see the secure symbol provided by your browser.