Finally got SSL running on this blog. This post is to document the steps I took.
This wiki page was what I used as a guide.
OS is CentOS 6.4 running Apache that is packaged together with the base repository.
First, make sure the required packages are installed.
# yum install mod_ssl openssl
The installation of mod_ssl will include a default https configuration with pre-generated key and self-signed certificate.
Pre-generated key = /etc/pki/tls/private/localhost.key
Pre-generated certificate = /etc/pki/tls/certs/localhost.crt
Default config = /etc/httpd/conf.d/ssl.conf
Restarting httpd at this point will give you a working https page served with the certificate mentioned above. Do not forget to add firewall exception for port 443.
# service httpd restart # iptables -I INPUT <line#> -p tcp --dport 443 -j ACCEPT # service iptables save
Browsing to this page will show a security warning on browsers because the certificate used is not issued by a trusted certificate authority. To get rid of the security warning, we have to sign our key with a trusted certificate authority.
Now let’s move on to generating our own key and getting it signed.
Generate key using openssl (change 1024 to 2048 or higher for better encryption).
# openssl genrsa -out ca.key 1024
Now, generate a certificate signing request (CSR) for the key.
# openssl req -new -key ca.key -out ca.csr
The command will prompt for further details to be embedded in the CSR. The output file ca.csr will then be sent to a certificate authority for them to come up with a corresponding certificate.
You can also sign your own certificate using the following command.
openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt
After you have received the certificate, either from the certificate authority or via self-signing, the CSR file is no longer needed.
Now, copy the key and the certificate to the corresponding directories (so SELinux contexts can be applied without much tinkering).
Certificates go to /etc/pki/tls/certs/while keys go to /etc/pki/tls/private/
Next we can start configuring apache to use the certificate and key. This can be done either in the main SSL configuration file at /etc/httpd/conf.d/ssl.conf or in the VirtualHost records.
Example VirtualHost record:
<VirtualHost *:443> SSLEngine on SSLCertificateFile /etc/pki/tls/certs/ca.crt SSLCertificateKeyFile /etc/pki/tls/private/ca.key ... ... ServerName centos01.hazrulnizam.com </VirtualHost>
Finally, restart httpd and your https page will now use the new key and certificate. If the certificate comes from a trusted certificate authority, you will no longer get the untrusted warning.