Your own web server with an SSL certificate from an approved certificate authority so that the browser also does not cause any warning, that would be a good thing. But only the cost of a certificate from Verisign & Co let you forget those mind games quickly. The provider StartSSL does offer free SSL server certificates that are valid for one year after all. How great is that! In this tutorial we will show you the process of securing your Apache webserver with this free SSL certificate.
su
) or simply prepend sudo
to all commands that require root privileges.Getting the required software
The first thing we need is a working Apache webserver with SSL installed.
yum install mod_ssl openssl
Generate the keys and the CSR
Create the public and private keys.
openssl genrsa -out domain.com.key 2048
Create the certificate signing request.
openssl req -new -key domain.com.key -out domain.com.csr
Here is an example input:
Country Name (2 letter code) [XX]:US State or Province Name (full name) []:Los Angeles Locality Name (eg, city) [Default City]:Los Angeles Organization Name (eg, company) [Default Company Ltd]:Company Inc. Organizational Unit Name (eg, section) []:Secure Services Department Common Name (eg, your name or your server's hostname) []:domain.com Email Address []:info@domain.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:password An optional company name []:Company Inc.
OK, now that we have the domain.com.key
and domain.com.csr
files in place we can start with the certificate creation process. Here is the conituous process is general. The CSR is sent to the certificate authority that creates a certificate. The certificate contains the public key, details of the holder and the issuer, and the digital signature of the issuer of all information contained and the key. Thus, the key is bound to an identity. The final certificate is stored on the server, which will be deliverd to a client on request. The next step will cover this process.
Generate a certificate
Make sure that you have created the following administration E-Mails for your domain. You need these E-Mails to verify the domain ownership.
postmaster@domain.com hostmaster@domain.com webmaster@domain.com
Now visit StartSSL and choose the Express Lane to create your free SSL certificate. Skip the step where StartSSL will ask you to create the pricate key and CSR as we have already created them on our server. Open the domain.com.csr
file on your server with your favorite editor.
vi domain.com.csr
Copy and paste the complete CSR in the text field on StartSSL. After a verification process you can copy and save the certificate from StartSSL on your server. Open your editor again, paste the CRT and save it.
vi domain.com.crt
In summary now we have three files on our server. The KEY, CSR and the CRT file. Please copy these files to their respective directories.
cp domain.com.key /etc/pki/tls/private/ cp domain.com.csr /etc/pki/tls/private/ cp domain.com.crt /etc/pki/tls/certs/
For browser compatibility we need to save the intermediate certifikate (IM) from StartSSL on our server as well. Navigate to the certificates directory and download the IM file.
cd /etc/pki/tls/certs/ wget http://www.startssl.com/certs/sub.class1.server.ca.pem
Now we have to tell Apache about the new certificate, key and IM file locations. Open the ssl.conf
and edit the file paths.
vi +/SSLCertificateFile /etc/httpd/conf.d/ssl.conf SSLCertificateFile /etc/pki/tls/certs/domain.com.crt SSLCertificateKeyFile /etc/pki/tls/private/domain.com.key SSLCertificateChainFile /etc/pki/tls/certs/sub.class1.server.ca.pem
Restart Apache to check that everything is in order.
/etc/init.d/httpd restart
Setting up the virtual hosts
As the last step we need to add new VirtualHosts for the SSL port.
vi /etc/httpd/conf.d/vhost.conf
Here in an example VirtualHost entry for your convenience:
NameVirtualHost *:443 <VirtualHost *:443> ServerAdmin webmaster@domain.com ServerName domain.com ServerAlias www.domain.com DocumentRoot /srv/www/domain.com/public_html/ ErrorLog /srv/www/domain.com/logs/error.log CustomLog /srv/www/domain.com/logs/access.log combined SSLEngine on SSLCertificateFile /etc/pki/tls/certs/domain.com.crt SSLCertificateKeyFile /etc/pki/tls/private/domain.com.key SSLCertificateChainFile /etc/pki/tls/certs/sub.class1.server.ca.pem </VirtualHost>
Additional it is useful to adjust your .htaccess
as well to handle the new SSL requests. To redirect all non-SSL requests to SSL use these lines:
RewriteCond %{HTTPS} !=on RewriteRule ^/?(.*) https://domain.com/$1 [R,L]
Do not forget to change your canonical redirect. Here is an www to non-www example:
RewriteCond %{HTTP_HOST} ^www.domain.com [NC] RewriteRule ^(.*)$ https://domain.com/$1 [L,R=301]
Finally we can restart Apache for the last time.
/etc/init.d/httpd restart
Check your certificate on SSL Certificate Tester. Make sure to open the port 443 on your firewall.
iptables -A INPUT -p tcp --dport 443 -j ACCEPT /sbin/service iptables save iptables -L -v
Instal Apache mod ssl
# yum install mod_ssl
Go to certs folder in centos 6
# cd /etc/ssl/certs/
Regenerate Private Key and CSR with the help of following OpenSSL command
# openssl req -nodes -newkey rsa:2048 -keyout namhuy_net.key -out namhuy_net.csr
Get the CA Root Certificate from Verisign, Thawte, Globalsign, Comodo. After you purchase a cert from those vendor, you will get an email w/ cert files. Upload those files to
/etc/ssl/certs/
Save the combined file as namhuy_net.pem. The .pem file is now ready to use.
The SSL configuration file for Apache is where I ended up putting the configurations for my server.
# nano /etc/httpd/conf.d/ssl.conf
Edit lines
SSLEngine on
SSLCertificateFile /etc/ssl/certs/namhuy_net.crt
SSLCertificateKeyFile /etc/ssl/certs/namhuy_net.key
SSLCertificateChainFile /etc/ssl/certs/namhuy_net.pem
Restart httpd service
# service httpd restart
Source: http://namhuy.net/760/how-to-install-an-ssl-certificate-on-centos-for-apache.html
yum command not found