SSL stands for secure socket layer, a web protocol used to send traffic between the client and the server in a protected and encrypted wrapper. An SSL certificate also helps users verifying the identity of the sites they’re visiting.
Prerequisites
httpdmod_ssl
Create a new certificate
Create a directory to store your certificate:
mkdir /etc/ssl/private
Modify the permissions so that only root has access:
chmod 700 /etc/ssl/private
Create the SSL key and certificate using openssl:
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/thinkhelselfsig.key -out /etc/ssl/certs/thinkhelselfsig.crt
- req -x509: use X.509 CSR management (certificate signing request), a standard that defines the format of public key certificates for TLS/SSL;
- -nodes: do not secure the certificate with a password. Apache must be able to read the certificate without user interaction, when the server starts up;
- -days n: the time that the certificate will be valid;
- -newkey arg: generate a new certificate and a new key;
- -keyout: where the generated private key will be placed;
- -out: where the certificate will be placed.
You will be prompted to insert some information:
Generating a 2048 bit RSA private key
.....+++
.....+++
writing new private key to './thinkhelselfsig.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:thinkhel.com
Email Address []:
Set up the certificate
We need to edit a section in /etc/httpd/conf.d/ssl.conf that begins with <VirtualHost _default_:443>.
Uncomment DocumentRoot and edit the path to the location of your website’s document root. Also uncomment and edit ServerName:
<VirtualHost _default_:443> . . . DocumentRoot "/var/www/thinkhel.com/public_html" ServerName www.thinkhel.com:443
Comment out SSLProtocol and SSLCipherSuite lines.
Edit SSLCertificateFile and SSLCertificateKeyFile to match to te directory where the key and certificate are stored:
SSLCertificateFile /etc/ssl/certs/thinkhelselfsig.crt SSLCertificateKeyFile /etc/ssl/private/thinkhelselfsig.key
Now, the server will serve both HTTP and HTTPS requests. To automatically redirect HTTP to HTTPS, create a .conf file in /etc/httpd/conf.d directory:
<VirtualHost *:80>
ServerName www.thinkhel.com
Redirect "/" "https://www.thinkhel.com/"
</VirtualHost>
Activate the certificate
To activate the certificate you need to restart httpd:
systemctl restart httpd
If you’re using a firewall, check that port 80 and 443 are open.
If you’re using iptables and the ports need to be opened:
iptables -I INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -I INPUT -p tcp -m tcp --dport 443 -j ACCEPT
Note: since a self-signed certificate is not signed by a CA (certificate authority), the browser will warn you about it because it’s not able to verify the identity of the server you’re trying to connect to. Self-signed certificates should only be used in a few situations (private/internal use).