Ramblings on technology with a dash of social commentary
RSS icon Email icon Home icon
  • How to install an SSL certificate on CentOS for Apache

    Posted on March 19th, 2011 phpguru 4 comments

    Getting Apache to serve up pages over a secure connection requires a little bit of configuration.

    If you want to use a self-signed certificate, you may want to look here.

    Step 1. Make sure you have openssl and mod_ssl installed on your CentOS server.

    yum install openssl mod_ssl

    Step 2. Make sure Apache is configured to load the mod_ssl module. In my case, in /etc/httpd/conf/httpd.conf it says:

    Include conf.d/*.conf

    This little line of code is how the file /etc/httpd/conf.d/ssl.conf gets loaded. The SSL configuration file for Apache is where I ended up putting the configurations for my server.

    Step 3. Now we’re ready to generate a CSR – Certificate Signing Request. This is something unique to your specific server that you use to generate a CRT (actual SSL certificate file) from your SSL vendor of choice. Note that this process could require several hours or days, along with email confirmations from your domain’s technical or administrative contact.

    This page on the CentOS wiki gives you a great overview of the process. But after I tried that, GoDaddy complained that it needed a 2048-bit CSR. So this page showed me how to generate the CSR with a 2048-bit key:

    openssl req -nodes -newkey rsa:2048 -keyout your-domain-name.key -out your-domain-name.csr

    Now of course you will be replacing your-domain-name with the exact domain name (or subdomain if applicable). By default, using openssl on the command line generates files in the current working directory, but you can pass in the full pathnames if you want, too.

    cat /path/to/your-domain-name.csr

    Step 4. Copy and paste that mess into your SSL vendor’s ‘Paste CSR’ step of SSL Cert activation. This process varies wildly by SSL vendor, and also the level of security of SSL you purchased. Be warned that SSL Certificate authorization emails may be sent to the administrative and technical contacts on file with the domain registrar, too, so this process can take up to a few days.

    Step 5. Once your SSL certificate is generated, you can download it from your SSL vendor and upload it to your server. If you’re using GoDaddy you’ll need the gd_bundle.crt file too.

    Step 6. Now that you have your key, SSL Cert (.crt file) and the ca bundle (Certificate Authority) you have to edit the http.conf or ssl.conf file for Apache to know where to load the certificate files. This is how my ssl.conf looks

    SSLCertificateFile /etc/pki/tls/certs/your-domain-name.crt
    SSLCertificateKeyFile /etc/pki/tls/private/your-domain-name.key
    SSLCACertificateFile /etc/pki/tls/certs/gd_bundle.crt

    Step 7. Use apachectl to do a syntax check on the config files

    apachectl -t
    syntax OK

    Step 8. Fix any typos you made, and finally start or restart Apache:

    apachectl restart

    At this point you might get excited and try accessing your website at https:// for the first time, but on many configurations, the odds are port 443 is blocked by default. If you get a long connection or timeouts, that’s probably your issue too. So it may be necessary to open port 443 with iptables like this post shows. I found the second one worked

    iptables -I INPUT -p tcp -m state --state NEW,ESTABLISHED --dport 443 -j ACCEPT
    Hopefully this helped you.

    4 responses to “How to install an SSL certificate on CentOS for Apache” RSS icon

    • Amazingly helpful, especially the last part about opening 443. THANKS!

    • Hi, I use Go Daddy Centos VPS- can i just use the Simple Control Panel to create a CSR?

      Or if i do it this way will it show in my simple control panel?

    • @Android – I don’t use GoDaddy hosting, but is their ‘simple control panel’ CPanel or Plesk, or something other? Call their phone-in support and ask them, they’re pretty good. If you have root ssh into your VPS you may be able to get your SSL installed, but most likely it won’t install into the standard place that GoDaddy technicians are trained to look for, so they may not be able to help you if it doesn’t work. I’ve used the SSL installation feature in Web Host Manager before, but to be honest I thought it was simpler and made more sense on the command line. In any case, yes, it is usually recommended that you use the built-in feature provided by your hosting company control panel to do this if it has one.

    • Thanks Phpguru,

      No its is not cpanel or plesk! it is GoDaddys version of a control panel called simple control panel – it was free cos i cant afford cpanel on top of the vps i bought.

      But it does have a section that sets up certs so ill use that.

    Leave a reply