Apache SSL Configuration (Create/Import processes)


To totally unlock this section you need to Log-in


Login

This guide will explain how to set up a site over https (SSL certificate). The tutorial uses a self signed key so will work well for a personal website or testing purposes. This is provided as is so proceed at your own risk and take backups!

For an SSL encrypted web server you will need a few things. Depending on your install you may or may not have OpenSSL and mod_ssl, Apache's interface to OpenSSL. Use yum to get them if you need them.

yum install mod_ssl openssl

Yum will either tell you they are installed or will install them for you.

Generate a self-signed certificate

Using OpenSSL we will generate a self-signed certificate. If you are using this on a production server you are probably likely to want a key from a Trusted Certificate Authority, but if you are just using this on a personal site or for testing purposes a self-signed certificate is fine. To create the key you will need to be root so you can either su to root or use sudo in front of the commands

# Generate private key 
openssl genrsa -out ca.key 2048 

# Generate CSR openssl req -new -key ca.key -out ca.csr
# Generate Self Signed Key openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt
# Copy the files to the correct locations cp ca.crt /etc/pki/tls/certs cp ca.key /etc/pki/tls/private/ca.key cp ca.csr /etc/pki/tls/private/ca.csr attachment:ArtWork/WikiDesign/icon-admonition-alert.png

WARNING: Make sure that you copy the files and do not move them if you use SELinux. Apache will complain about missing certificate files otherwise, as it cannot read them because the certificate files do not have the right SELinux context.

If you have moved the files and not copied them, you can use the following command to correct the SELinux contexts on those files, as the correct context definitions for /etc/pki/* come with the bundled SELinux policy.

restorecon -RvF /etc/pki

Locate the following directives in either your httpd.conf or ssl.conf file (which files you use depends on how you configured Apache). If one or more of them are currently commented out, uncomment them by removing the # character from the beginning of the line. Set the values of these directives to the absolute path and filename of the appropriate file, based on your version of Apache:

Apache SSL Configuration (Create/Import processes)

  • SSLCertificateFile should be your DigiCert certificate file (eg. your_domain_name.crt).
  • SSLCertificateKeyFile should be the key file generated when you created the CSR.
  • SSLCertificateChainFile should be the intermediate certificate file (CertCA.crt).

So, then we need to update the Apache SSL configuration file:

vi +/SSLCertificateFile /etc/httpd/conf.d/ssl.conf

Change the paths to match where the Key file is stored. If you've used the method above it will be:

SSLCertificateFile /etc/pki/tls/certs/ca.crt

Then set the correct path for the Certificate Key file a few lines below. If you've followed the instructions above it is:

SSLCertificateKeyFile /etc/pki/tls/private/ca.key

Quit and save the file and then restart Apache:

/etc/init.d/httpd restart

All being well you should now be able to connect over https to your server and see a default Centos page. As the certificate is self signed browsers will generally ask you whether you want to accept the certificate.

Setting up the virtual hosts

Just as you set VirtualHosts for http on port 80 so you do for https on port 443. A typical VirtualHost for a site on port 80 looks like this:

<virtualhost *:80>
        <directory /var/www/vhosts/yoursite.com/httpdocs>
        AllowOverride All
        </directory>
        DocumentRoot /var/www/vhosts/yoursite.com/httpdocs
        ServerName yoursite.com
</virtualhost>

To add a sister site on port 443, so enabling Apache SSL configuration, you need to add the following at the top of your file:

NameVirtualHost *:443

And then a VirtualHost record something like this:

<virtualhost *:443>
        SSLEngine on
        SSLCertificateFile /etc/pki/tls/certs/ca.crt
        SSLCertificateKeyFile /etc/pki/tls/private/ca.key
        
        AllowOverride All
        </directory>
        DocumentRoot /var/www/vhosts/yoursite.com/httpsdocs
        ServerName yoursite.com
</virtualhost>

Restart Apache again using:

/etc/init.d/httpd restart

Configuring the firewall

You should now have a site working over https using a self-signed certificate. If you can't connect you may need to open the port on your firewall. To do this amend your iptables rules:

iptables -A INPUT -p tcp --dport 443 -j ACCEPT
/sbin/service iptables save
iptables -L -v

Import SSL Certificate

The following procedure is a general importing step-by-step guide on how, usually, are imported and specified SSL certificates in VirtualHost configurations (Apache):

  • Save the primary and intermediate certificates to a folder on the server with the private key.
  • Open the Apache configuration file in a text editor. Apache configuration files are usually found in /etc/httpd.

The main configuration file is usually named httpd.conf. In most cases the <VirtualHost> blocks will be at the bottom of this httpd.conf file. Sometimes you will find the <VirtualHost> blocks in a separate file in a directory like /etc/httpd/vhosts.d/ or /etc/httpd/sites/ or in a file called ssl.conf.

If you need your site to be accessible through both secure (https) and non-secure (http) connections, you will need a virtual host for each type of connection. Make a copy of the existing non-secure virtual host and change the port from port 80 to 443.

Add the lines in bold below:

<VirtualHost 192.168.0.1:443>
DocumentRoot /var/www/website
ServerName www.domain.com
SSLEngine on
SSLCertificateFile /etc/ssl/crt/primary.crt
SSLCertificateKeyFile /etc/ssl/crt/private.key
SSLCertificateChainFile /etc/ssl/crt/intermediate.crt
</VirtualHost> 

Change the names of the files and paths to match your certificate files:

  • SSLCertificateFile should be your primary certificate file for your domain name.
  • SSLCertificateKeyFile should be the key file generated when you created the CSR.
  • SSLCertificateChainFile should be the intermediate certificate file (if any) that was supplied by your certificate authority.

Save the changes and exit the text editor.

Test your Apache config before restarting

It is always best to check your Apache config files for any errors before restarting, because Apache will not start again if your config files have syntax errors. Run the following command: (it is apache2ctl on some systems):

apachectl configtest

Restart your Apache web server using one of the following commands:

/usr/local/apache/bin/apachectl startssl
/usr/local/apache/bin/apachectl restart