How to install an SSL certificate on CentOS for ApachePosted on March 19th, 2011 9 comments
Getting Apache to serve up pages over a secure connection requires a little bit of configuration.
If you want to use a self-signed certificate, you may want to look here.
Step 1. Make sure you have openssl and mod_ssl installed on your CentOS server.
yum install openssl mod_ssl
Step 2. Make sure Apache is configured to load the mod_ssl module. In my case, in /etc/httpd/conf/httpd.conf it says:
This little line of code is how the file /etc/httpd/conf.d/ssl.conf gets loaded. The SSL configuration file for Apache is where I ended up putting the configurations for my server.
Step 3. Now we’re ready to generate a CSR – Certificate Signing Request. This is something unique to your specific server that you use to generate a CRT (actual SSL certificate file) from your SSL vendor of choice. Note that this process could require several hours or days, along with email confirmations from your domain’s technical or administrative contact.
This page on the CentOS wiki gives you a great overview of the process. But after I tried that, GoDaddy complained that it needed a 2048-bit CSR. So this page showed me how to generate the CSR with a 2048-bit key:
openssl req -nodes -newkey rsa:2048 -keyout your-domain-name.key -out your-domain-name.csr
Now of course you will be replacing your-domain-name with the exact domain name (or subdomain if applicable). By default, using openssl on the command line generates files in the current working directory, but you can pass in the full pathnames if you want, too.
Step 4. Copy and paste that mess into your SSL vendor’s ‘Paste CSR’ step of SSL Cert activation. This process varies wildly by SSL vendor, and also the level of security of SSL you purchased. Be warned that SSL Certificate authorization emails may be sent to the administrative and technical contacts on file with the domain registrar, too, so this process can take up to a few days.
Step 5. Once your SSL certificate is generated, you can download it from your SSL vendor and upload it to your server. If you’re using GoDaddy you’ll need the gd_bundle.crt file too.
Step 6. Now that you have your key, SSL Cert (.crt file) and the ca bundle (Certificate Authority) you have to edit the http.conf or ssl.conf file for Apache to know where to load the certificate files. This is how my ssl.conf looks
SSLCertificateFile /etc/pki/tls/certs/your-domain-name.crt SSLCertificateKeyFile /etc/pki/tls/private/your-domain-name.keySSLCACertificateFile /etc/pki/tls/certs/gd_bundle.crt
Step 7. Use apachectl to do a syntax check on the config files
apachectl -t syntax OK
Step 8. Fix any typos you made, and finally start or restart Apache:
At this point you might get excited and try accessing your website at https:// for the first time, but on many configurations, the odds are port 443 is blocked by default. If you get a long connection or timeouts, that’s probably your issue too. So it may be necessary to open port 443 with iptables like this post shows. I found the second one worked
iptables -I INPUT -p tcp -m state --state NEW,ESTABLISHED --dport 443 -j ACCEPTHopefully this helped you.
Amazingly helpful, especially the last part about opening 443. THANKS!
Hi, I use Go Daddy Centos VPS- can i just use the Simple Control Panel to create a CSR?
Or if i do it this way will it show in my simple control panel?
No its is not cpanel or plesk! it is GoDaddys version of a control panel called simple control panel – it was free cos i cant afford cpanel on top of the vps i bought.
But it does have a section that sets up certs so ill use that.
I have apache + nginx on my server. Will it still work for me?
Very informative article on site security with ssl. Thanks, I really walked away more educated than before. Wildcard SSL certs can secure multiple subdomains is something I recently picked up.
This article is very informative and we made progress in making our site up.
Incredibly helpful, thanks heaps!
Leave a reply