How To Create Self-Signed SSL Certificate on Apache for CentOS 7

To install SSL certificate in your web or blog site for security purpose. In this tutorial I will be going to use self sign certificate.

Step 1. Install httpd and mod_ssl package. In order to set up the self-signed certificate, we make sure that mod_ssl, an Apache module that provides support for SSL, is installed in your server. We can install httpd & mod_ssl using command below:

# yum install httpd mod_ssl

Step 2. enable the httpd service to auto start when your server reboot and for the mod_ssl it will auto enabled.

# systemctl enable httpd

Step 3. Create a New Self Sign Certificate.¬† Create a new directory to store the private key in ” /etc/ssl/ ” and change the permission of the directory to 700

# mkdir -p /etc/ssl/private

# chmod 700 /etc/ssl/private

And now that the private directory is created to place the certificate, we can generate SSL key and certificate files with openssl

# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/mytech-selfsigned.key -out /etc/ssl/certs/mytech-selfsigned.crt

Country Name (2 letter code) [XX]:SG
State or Province Name (full name) []:Singapore
Locality Name (eg, city) [Default City]:Singapore
Organization Name (eg, company) [Default Company Ltd]:MyTechRepublic Inc
Organizational Unit Name (eg, section) []:IT Department
Common Name (eg, your name or your server’s hostname) []:mytechrepublic.com
Email Address []:[email protected]

and this below are the description for each command above:

openssl: This is the basic command line tool for creating and managing OpenSSL certificates, keys, and other files.

req -x509: This specifies that we want to use X.509 certificate signing request (CSR) management. The “X.509” is a public key infrastructure standard that SSL and TLS adhere to for key and certificate management.

-nodes: This tells OpenSSL to skip the option to secure our certificate with a passphrase. We need Apache to be able to read the file, without user intervention, when the server starts up. A passphrase would prevent this from happening, since we would have to enter it after every restart.

-days 365: This option sets the length of time that the certificate will be considered valid. We set it for one year here.

-newkey rsa:2048: This specifies that we want to generate a new certificate and a new key at the same time. We did not create the key that is required to sign the certificate in a previous step, so we need to create it along with the certificate. The rsa:2048 portion tells it to make an RSA key that is 2048 bits long.

-keyout: This line tells OpenSSL where to place the generated private key file that we are creating.

-out: This tells OpenSSL where to place the certificate that we are creating.

Step 4. Now verify the file if its created by

# ls -l /etc/ssl/cert/mytech-selfsigned.crt

# ls -l /etc/ssl/private/mytech-selfsigned.key

Step 5. Add another layer of security “Diffie-Hellman group” which is used in negotiating Perfect Forward Secrecy with clients by using below command

# openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

This might take a while to generate

After it’s done verify the file in this path

# ls -l /etc/ssl/certs/dhparam.pem

Step 6. Since the “SSLOpenSSLConfCmd” is not included append the generated file to the end of our self-signed certificate

# cat /etc/ssl/certs/dhparam.pem | tee -a /etc/ssl/certs/mytech-selfsigned.crt

The “mytech-selfsigned.crt” file should now have both the certificate and the generated Diffie-Hellman group.

[[email protected] certs]#
[[email protected] certs]# cat mytech-selfsigned.crt

—–BEGIN CERTIFICATE—–
MIIEOTCCAyGgAwIBAgIJAMmQveX7s20sMA0GCSqGSIb3DQEBCwUAMIGyMQswCQYD
VQQGEwJTRzESMBAGA1UECAwJU2luZ2Fwb3JlMRIwEAYDVQQHDAlTaW5nYXBvcmUx
bTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPueQWCBVjqgywl/kWoe
G2n+Zjsg9TlKO4iqYUKJcaCQriQvxPv+0I0gTOPqPFRBFA/h5zR66LiWl0UStTER
J4M1W8EF2YaYd/gUeBDLOnx+8Ew3bP5+MuPTF7v7GIfN/DO1bOJkc//joj4tw2dq
gES3B52vQ3St9Rx+jFLMqzg3Xg6Clz5v6PUYES6BDi6GBXnRKMQ4sfxNURePf34H
E1oGB1ZZRdAf1zVrTQ9SRTNjHKfhZlSlBPrGbkSO6R/9oSdRKGy7gV54ojkNCriX
nENC2wkSbsZM1GSpOgX4t9Vh1/hRUD52DKpfxiNaJei9KZN4WYua7sU0lN8hHhw+
eHECAwEAAaNQME4wHQYDVR0OBBYEFCySO4jjj5T5iB3CcdXcOboAczoaMB8GA1Ud
SQR57lRnrEAlyEfNnjeeSq996EsFkwo6jJbtQ+U=
—–END CERTIFICATE—–
—–BEGIN DH PARAMETERS—–
MIIBCAKCAQEAy65g3mX+IhtgTeZ5Aa2D66+wJvzmYBS2QT6EFhRPtPy8kRe8wUML
nRJJ8lghAL/yyzgLCwBLpLx9kD2Zfg2dZyssaHro80en7xLLDE4EmZsFnGXHpS6O
C9//0h5pRjlv5M4Z6zxp0lH10NyC1qH0OwIBAg==
—–END DH PARAMETERS—–

[[email protected] certs]#

Step 7. Configure the httpd.conf to enable the SSL. Open your favorite editor and edit this file below but before that make sure to backup the file without the .conf extention.

# cp -rp /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/ssl.bak

 

# vim /etc/httpd/conf.d/ssl.conf

uncomment the DocumentRoot line and edit the address in quotes to the location of your site’s document root. By default, this will be in /var/www/html, and you don’t need to change this line if you have not changed the document root for your site. However, if you followed the apache guide virtual hosts guide, your site’s document root may be different.

Next, uncomment the ServerName line and replace www.mytechrepublic.com with your domain name or server IP address (whichever one you put as the common name in your certificate):

Listen 443 https
SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog

SSLStaplingCache “shmcb:logs/stapling-cache(150000)”
SSLSessionCache shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout 300
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin

<VirtualHost _default_:443>
DocumentRoot “/var/www/html”
ServerName mytechrepublic.com:443
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLHonorCipherOrder on

Header always set Strict-Transport-Security “max-age=63072000; includeSubdomains”
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
SSLCompression off
SSLUseStapling on

SSLCertificateFile /etc/ssl/certs/mytech-selfsigned.crt
SSLCertificateKeyFile /etc/ssl/private/mytech-selfsigned.key

<Files ~ “\.(cgi|shtml|phtml|php3?)$”>
SSLOptions +StdEnvVars
</Files>
<Directory “/var/www/cgi-bin”>
SSLOptions +StdEnvVars
</Directory>

BrowserMatch “MSIE [2-5]” \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

CustomLog logs/ssl_request_log \
“%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \”%r\” %b”

</VirtualHost>

 

Step 8. Do a test config to verify if there is any error and start the httpd service

# apachectl configtest

 

[[email protected] ~]# apachectl configtest
Syntax OK
[[email protected] ~]#

 

# systemctl start httpd

 

And allow the port 443 in your firewalld

# firewall-cmd –zone=public –permanent –add-service=https

OR

# firewall-cmd –zone=public –permanent –add-port=443/tcp

 

And to list all the ports that was open type this below command

# firewall-cmd –zone=public –permanent –list-ports

Now open your favorite web browser, and type your domain name or IP with https:// to verify your new certificate in action.

https://mytechrepublic .com