How to Configure an SSL secured Website in CentOS
- Getting the required software
For an SSL encrypted web server you will need a few things. Depending on your install you may or may not have OpenSSL and mod_ssl, Apache's interface to OpenSSL. Use yum to get them if you need them. Your Hostway may already have these enabled.
'yum install mod_ssl openssl'
Yum will either tell you they are installed or will install them for you.
- Generate a self-signed certificate
Using OpenSSL we will generate a self-signed certificate. You can use a certificate from a Certificate Authority, however, it is not required.
# Generate private key
openssl genrsa -out yoursite.key 2048
# Generate CSR
openssl req -new -key yoursite.key -out yoursite.csr
# Generate Self Signed Key
openssl x509 -req -days 365 -in yoursite.csr -signkey yoursite.key -out yoursite.crt
# Copy the files to the correct locations cp yoursite.crt /etc/pki/tls/certs cp yoursite.key /etc/pki/tls/private/yoursite.key cp yoursite.csr /etc/pki/tls/private/yoursite.csr
Then we need to update the Apache SSL configuration file
vi +/SSLCertificateFile /etc/httpd/conf.d/ssl.conf Change the paths to match where the Key file is stored. If you've used the method above it will be
Then set the correct path for the Certificate Key File a few lines below. If you've followed the instructions above it is:
Quit and save the file and then restart Apache
/etc/init.d/httpd restart OR service httpd restart
All being well you should now be able to connect over https to your server and see a default Centos page. As the certificate is self-signed browsers will generally ask you whether you want to accept the certificate.
- Setting up the virtual hosts
Just as you set VirtualHosts for http on port 80 so you do for https on port 443. A typical VirtualHost for a site on port 80 looks like this
To add a sister site on port 443 you need to add the following at the top of your file
and then a VirtualHost record something like this:
Restart Apache again using
- Configuring the firewall
You should now have a site working over https using a self-signed certificate. If you can't connect you may need to open the port on your firewall. To do this amend your iptables rules:
iptables -A INPUT -p tcp --dport 443 -j ACCEPT /sbin/service iptables save iptables -L -v