How to install an SSL certificate on CentOS for Apache

Getting Apache to serve up pages over a secure connection requires a little bit of configuration.

If you want to use a self-signed certificate, you may want to look here.

Step 1. Make sure you have openssl and mod_ssl installed on your CentOS server.

yum install openssl mod_ssl

Step 2. Make sure Apache is configured to load the mod_ssl module. In my case, in /etc/httpd/conf/httpd.conf it says:

Include conf.d/*.conf

This little line of code is how the file /etc/httpd/conf.d/ssl.conf gets loaded. The SSL configuration file for Apache is where I ended up putting the configurations for my server.

Step 3. Now we’re ready to generate a CSR – Certificate Signing Request. This is something unique to your specific server that you use to generate a CRT (actual SSL certificate file) from your SSL vendor of choice. Note that this process could require several hours or days, along with email confirmations from your domain’s technical or administrative contact.

This page on the CentOS wiki gives you a great overview of the process. But after I tried that, GoDaddy complained that it needed a 2048-bit CSR. So this page showed me how to generate the CSR with a 2048-bit key:

openssl req -nodes -newkey rsa:2048 -keyout your-domain-name.key -out your-domain-name.csr

Now of course you will be replacing your-domain-name with the exact domain name (or subdomain if applicable). By default, using openssl on the command line generates files in the current working directory, but you can pass in the full pathnames if you want, too.

cat /path/to/your-domain-name.csr

Step 4. Copy and paste that mess into your SSL vendor’s ‘Paste CSR’ step of SSL Cert activation. This process varies wildly by SSL vendor, and also the level of security of SSL you purchased. Be warned that SSL Certificate authorization emails may be sent to the administrative and technical contacts on file with the domain registrar, too, so this process can take up to a few days.

Step 5. Once your SSL certificate is generated, you can download it from your SSL vendor and upload it to your server. If you’re using GoDaddy you’ll need the gd_bundle.crt file too.

Step 6. Now that you have your key, SSL Cert (.crt file) and the ca bundle (Certificate Authority) you have to edit the http.conf or ssl.conf file for Apache to know where to load the certificate files. This is how my ssl.conf looks

SSLCertificateFile /etc/pki/tls/certs/your-domain-name.crt
SSLCertificateKeyFile /etc/pki/tls/private/your-domain-name.key
SSLCACertificateFile /etc/pki/tls/certs/gd_bundle.crt

Step 7. Use apachectl to do a syntax check on the config files

apachectl -t
syntax OK

Step 8. Fix any typos you made, and finally start or restart Apache:

apachectl restart

At this point you might get excited and try accessing your website at https:// for the first time, but on many configurations, the odds are port 443 is blocked by default. If you get a long connection or timeouts, that’s probably your issue too. So it may be necessary to open port 443 with iptables like this post shows. I found the second one worked

iptables -I INPUT -p tcp -m state --state NEW,ESTABLISHED --dport 443 -j ACCEPT