Setting up an HTTPS connection using SSL on CentOS requires a series of steps that depend on the server type and whether you’re using a self-signed certificate or one from a certificate authority (CA). Below is a general approach using Apache.
Prerequisites
Before you begin:
Ensure you have root or sudo access to the CentOS server.
Install Apache (
httpd) if not already installed.
SSL certificate with a CSR file
The steps you need to take in order to produce an SSL certificate with a CSR file are the following:
-
From the command line, type the following command
openssl req -new -newkey rsa:2048 -nodes -keyout <sitename>.key -out <sitename>.csrDuring this step, you will be asked to provide information such as Country, State or Province etc. The result of the above command is a private key .key file, which will be used in the next step
- Use the .csr produced by the previous steps to issue your certificate with the CA provider of your choice. Once your provider completes the process, you will get back two files (a certificate and a chain file).
-
Create a new directory in your file system to store the certificate files.
mkdir /var/www/vhosts/certsNote: You can use another path for the above directory. -
Move the .key file produced in step 1 to the directory certs
mv <sitename>.key /var/www/vhosts/certs -
Move the certificate and chain files (from step 2) to the folder certs
mv <sitename>.crt /var/www/vhosts/certsmv <sitename>_ca.crt /var/www/vhosts/certs -
Change the permissions of the certs directory and its files as follows
chmod -R 400 /var/www/vhosts/certs -
Change the ownership of the certs directory and its files as follows
chown -R root:root /var/www/vhosts/certs -
Install mod_ssl for your Apache server
yum install mod_ssl -
Modify your vhosts file as follows
<VirtualHost <ip_address>:443> ServerName <sitename> DocumentRoot "/var/www/vhosts/<efront-directory>/" SSLEngine on SSLProtocol -ALL -SSLv3 +TLSv1 SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:!MEDIUM:!LOW:!SSLv2:!EXPORT SSLCertificateFile /var/www/vhosts/certs/<sitename>.crt SSLCertificateKeyFile /var/www/vhosts/certs/<sitename>.key SSLCertificateChainFile /var/www/vhosts/certs/<sitename>_ca.crt <Directory "/var/www/vhosts/<efront-directory>/"> AllowOverride All </Directory> </VirtualHost> -
If you would like your domain name to only support https access, add the following lines to your hosts file
<VirtualHost <ip_address>:80> ServerName <sitename> DocumentRoot "/var/www/vhosts/<efront-directory>/" <Directory "/var/www/vhosts/<efront-directory>/"> AllowOverride All </Directory> RewriteEngine on ReWriteCond %{SERVER_PORT} !^443$ RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [NC,R,L] </VirtualHost> - Modify your firewall settings (/root/myfirewall) to allow incoming connections to port 443
-
After modifying your firewall settings, do not forget to "run" your firewall settings again
./myfirewall -
Make sure the file /etc/httpd/conf/httpd.conf contains the following line, and if not, add it
NameVirtualHost *:443 -
Edit the file /etc/sysconfig/httpd and add the following line
export OPENSSL_NO_DEFAULT_ZLIB=1 - Restart your Apache server
SSL certificate with a PFX file
The steps you need to take in order to produce an SSL certificate with a PFX file are the following:
-
Create a new directory in your file system to store the certificate files.
mkdir /var/www/vhosts/certsNote: You can use another path for the above directory. -
Run the following command
openssl pkcs12 -in <sitename>.pfx -clcerts -nokeys -out <sitename>.crt -
Run the following command
openssl pkcs12 -in <sitename>.pfx -nocerts -nodes -out <sitename>.key -
Run the following command
openssl pkcs12 -in <sitename>.pfx -out <sitename>-ca.crt -nodes -nokeys -cacertsNote: If this step produces an empty file, do not include it in your .conf file - Continue with the process described in the section "SSL certificate with a CSR file" starting from step 6