In this recipe, we will learn how to add a secure connection to the Apache web server by creating a self-signed SSL certificate using OpenSSL. This is often a requirement for web servers if the sites running on them transfer sensitive data such as credit card or login information from the web browser to the server. In a previous recipe you were shown how to install the Apache web server, and with the growing demand for secure connections, it is the purpose of this recipe to show you how to enhance your current server configuration by teaching you how to extend the features of the Apache web server.
To complete this recipe, you will require a working installation of the CentOS 7 operating system with root privileges, a console-based text editor of your choice, and a connection to the Internet in order to facilitate the download of additional packages. It is expected that Apache web server has been installed and that it is currently running. Here we will create a new SSL certificate for Apache. If you want to learn more about it, refer to Chapter 6, Providing Security for advice on generating self-signed certificates. As a correct domain name is crucial for SSL to work, we will continue naming our Apache web server's configured domain name centos7.home
to make this recipe work (change it to fit your own needs).
Apache does not support SSL encryption by default and for this reason we will begin by installing the necessary package mod_ssl
using the yum package manager.
yum install mod_ssl
Makefile
in the next steps, we need to delete those files:rm /etc/pki/tls/private/localhost.key /etc/pki/tls/certs/localhost.crt
cd /etc/pki/tls/certs
make testcert
www.centos7.home
cp /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/ssl.conf.BAK vi /etc/httpd/conf.d/ssl.conf
<VirtualHost _default_:443>
and locate the line # DocumentRoot "/var/www/html"
within this block. Then activate it by removing the #
character, so it reads:DocumentRoot "/var/www/html"
#ServerName www.example.com:443
. Activate this line and modify the value shown to match the common name value used during the creation of your certificate, as follows:ServerName www.centos7.home:443
443
:firewall-cmd --permanent --add-service=https && firewall-cmd --reload
httpd
service to apply your changes. Note that if prompted you have to enter the SSL passphrase you added when you created the SSL test certificate:systemctl restart httpd
https://www.centos7.home
instead of http://www.centos7.home
.We began the recipe by installing mod_ssl
using the YUM package manager, which is the default Apache module to enable SSL. The next step was then to go to the standard location where all the system's certificates can be found in CentOS 7, that is, /etc/pki/tls/certs
. Here we can find a Makefile
, which is a helper script for conveniently generating self-signed SSL test certificates and which hides away complicated command line parameters for the OpenSSL program from you. Remember that the Makefile
currently lacks a clean
option and therefore every time we run it, we need to delete any old versions of the generated files from a former run manually, otherwise it will not start doing anything. After deleting the old Apache SSL files, we used make
with the testcert
parameter, which creates self-signed certificates for the Apache web server and puts them in the standard locations, already configured in the ssl.conf
file (the SSLCertificateFile
and SSLCertificateKeyFile
directives), so we didn't have to change anything here. During the process, you were asked to provide a password before completing a series of questions. Complete the questions but pay special attention to the Common name. As was mentioned in the main recipe, this value should reflect either the domain name of your server or your IP address. In the next phase, you were required to open Apache's SSL configuration file in your favorite text editor which can be found at /etc/httpd/conf.d/ssl.conf
. In it we enabled the DocumentRoot
directive to put it under SSL control and activated the ServerName
directive with an expected domain value that must be the same as the one we defined as our common name value. We than saved and closed the configuration file and enabled the HTTPS ports in our firewall, thus allowing incoming connections over the standard HTTPS 443
port. Having completed these steps, you can now enjoy the benefits of a secure connection using a self-signed server certificate. Just type https://
instead of http://
for any URL address available on your Apache web browser. However, if you are intending to use an SSL Certificate on a production server for members of the public, then your best option is to purchase an SSL certificate from a trusted Certificate Authority.
We learned that since our SSL certificate is protected by a passphrase, so whenever we need to restart our Apache web server, we need to enter the password. This is impractical for server restarts as Apache will refuse to start without a password. To get rid of the password prompt, we will provide the passphrase in a special file and make sure it is only accessible by root.
cp /usr/libexec/httpd-ssl-pass-dialog /usr/libexec/httpd-ssl-pass-dialog.BAK
XXXX
in the following command line with your current SSL passphrase:echo -e '#!/bin/bash
echo "XXXX"' > /usr/libexec/httpd-ssl-pass-dialog
chmod 500 /usr/libexec/httpd-ssl-pass-dialog