How to Configure an SSL secured Website in CentOS
- Getting the required software
For an SSL encrypted web server you will need a few things. Depending on your install you may or may not have OpenSSL and mod_ssl, Apache's interface to OpenSSL. Use yum to get them if you need them. Your Hostway may already have these enabled.
'yum install mod_ssl openssl'
Yum will either tell you they are installed or will install them for you.
- Generate a self-signed certificate
Using OpenSSL we will generate a self-signed certificate. You can use a certificate from a Certificate Authority, however, it is not required.
# Generate private key
openssl genrsa -out yoursite.key 2048
# Generate CSR
openssl req -new -key yoursite.key -out yoursite.csr
# Generate Self Signed Key
openssl x509 -req -days 365 -in yoursite.csr -signkey yoursite.key -out yoursite.crt
# Copy the files to the correct locations cp yoursite.crt /etc/pki/tls/certs cp yoursite.key /etc/pki/tls/private/yoursite.key cp yoursite.csr /etc/pki/tls/private/yoursite.csr
Then we need to update the Apache SSL configuration file
vi +/SSLCertificateFile /etc/httpd/conf.d/ssl.conf Change the paths to match where the Key file is stored. If you've used the method above it will be
SSLCertificateFile /etc/pki/tls/certs/yoursite.crt
Then set the correct path for the Certificate Key File a few lines below. If you've followed the instructions above it is:
SSLCertificateKeyFile /etc/pki/tls/private/yoursite.key
Quit and save the file and then restart Apache
/etc/init.d/httpd restart OR service httpd restart
All being well you should now be able to connect over https to your server and see a default Centos page. As the certificate is self-signed browsers will generally ask you whether you want to accept the certificate.
- Setting up the virtual hosts
Just as you set VirtualHosts for http on port 80 so you do for https on port 443. A typical VirtualHost for a site on port 80 looks like this
<VirtualHost *:80>
<Directory /var/www/vhosts/yoursite.com/httpdocs>
AllowOverride All
</Directory>
DocumentRoot /var/www/vhosts/yoursite.com/httpdocs
ServerName yoursite.com
</VirtualHost>
To add a sister site on port 443 you need to add the following at the top of your file
NameVirtualHost *:443
and then a VirtualHost record something like this:
<VirtualHost *:443>
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/yoursite.crt
SSLCertificateKeyFile /etc/pki/tls/private/yoursite.key
<Directory /var/www/vhosts/yoursite.com/httpsdocs>
AllowOverride All
</Directory>
DocumentRoot /var/www/vhosts/yoursite.com/httpsdocs
ServerName yoursite.com
</VirtualHost>
Restart Apache again using
/etc/init.d/httpd restart
- Configuring the firewall
You should now have a site working over https using a self-signed certificate. If you can't connect you may need to open the port on your firewall. To do this amend your iptables rules:
iptables -A INPUT -p tcp --dport 443 -j ACCEPT /sbin/service iptables save iptables -L -v