Enable SSL for Apache


Before you begin with this guide, there are a few steps that need to be completed first.

You will need access to a CentOS 7 server with a non-root user that has sudo privileges. If you haven't configured this yet, you can run through the CentOS 7 initial server setup guide to create this account.

You will also need to have Apache installed in order to configure virtual hosts for it. If you haven't already done so, you can use yum to install Apache through CentOS's default software repositories:

yum install httpd

Next, enable Apache as a CentOS service so that it will automatically start after a reboot:

systemctl enable httpd.service

After these steps are complete, you can log in as your non-root user account through SSH and continue with the tutorial.


Step One — Install Mod SSL

In order to set up the self-signed certificate, we first have to be sure that mod_ssl, an Apache module that provides support for SSL encryption, is installed on our VPS. We can install mod_ssl with the yumcommand:

yum install mod_ssl

The module will automatically be enabled during installation, and Apache will be able to start using an SSL certificate after it is restarted. You don't need to take any additional steps for mod_ssl to be ready for use.


Step Two — Create a New Certificate

Now that Apache is ready to use encryption, we can move on to generating a new SSL certificate. The certificate will store some basic information about your site, and will be accompanied by a key file that allows the server to securely handle encrypted data.

First, we need to create a new directory where we will store the server key and certificate:

sudo mkdir /etc/httpd/ssl

Now that we have a location to place our files, we can create the SSL key and certificate files withopenssl:

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/httpd/ssl/apache.key -out /etc/httpd/ssl/apache.crt

After you enter the request, you will be taken to a prompt where you can enter information about your website. Before we go over that, let's take a look at what is happening in the command we are issuing:

  • openssl: This is the basic command line tool for creating and managing OpenSSL certificates, keys, and other files.
  • req -x509: This specifies that we want to use X.509 certificate signing request (CSR) management. The "X.509" is a public key infrastructure standard that SSL and TLS adhere to for key and certificate management.
  • -nodes: This tells OpenSSL to skip the option to secure our certificate with a passphrase. We need Apache to be able to read the file, without user intervention, when the server starts up. A passphrase would prevent this from happening, since we would have to enter it after every restart.
  • -days 365: This option sets the length of time that the certificate will be considered valid. We set it for one year here.
  • -newkey rsa:2048: This specifies that we want to generate a new certificate and a new key at the same time. We did not create the key that is required to sign the certificate in a previous step, so we need to create it along with the certificate. The rsa:2048 portion tells it to make an RSA key that is 2048 bits long.
  • -keyout: This line tells OpenSSL where to place the generated private key file that we are creating.
  • -out: This tells OpenSSL where to place the certificate that we are creating.

Fill out the prompts appropriately. The most important line is the one that requests the Common Name. You need to enter the domain name that you want to be associated with your server. You can enter the public IP address instead if you do not have a domain name.

The full list of prompts will look something like this:

Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:Example
Locality Name (eg, city) [Default City]:Example 
Organization Name (eg, company) [Default Company Ltd]:Example Inc
Organizational Unit Name (eg, section) []:Example Dept
Common Name (eg, your name or your server's hostname) []:example.com
Email Address []:webmaster@example.com

Step Three — Set Up the Certificate

We now have all of the required components of the finished interface. The next thing to do is to set up the virtual hosts to display the new certificate.

Open Apache's SSL configuration file in your text editor with root privileges:

nano /etc/httpd/conf.d/ssl.conf

Find the section that begins with <VirtualHost _default_:443>. We need to make a few changes here to ensure that our SSL certificate is correctly applied to our site.

First, uncomment the DocumentRoot line and edit the address in quotes to the location of your site's document root. By default, this will be in /var/www/html, and you don't need to change this line if you have not changed the document root for your site. However, if you followed a guide like our Apache virtual hosts setup guide, your site's document root may be different.

DocumentRoot "/var/www/example.com/public_html"

Next, uncomment the ServerName line and replace www.example.com with your domain name or server IP address (whichever one you put as the common name in your certificate):

 ServerName www.example.com:443

Find the SSLCertificateFile and SSLCertificateKeyFile lines and change them to the directory we made at /etc/httpd/ssl:

SSLCertificateFile /etc/httpd/ssl/apache.crt
SSLCertificateKeyFile /etc/httpd/ssl/apache.key

When you are finished making these changes, you can save and close the file.


Step Four — Activate the Certificate

By now, you have created an SSL certificate and configured your web server to apply it to your site. To apply all of these changes and start using your SSL encryption, you can restart the Apache server to reload its configurations and modules:

sudo apachectl restart

In your web browser, try visiting your domain name or IP with https:// to see your new certificate in action.


Your web browser will likely warn you that the site's security certificate is not trusted. Since your certificate isn't signed by a certificate authority that the browser trusts, the browser is unable to verify the identity of the server that you are trying to connect to. We created a self-signed certificate instead of a trusted CA-signed certificate, so this makes perfect sense.

Once you add an exception to the browser's identity verification, you will be allowed to proceed to your newly secured site.


Redirect Request to SSL

Let's say you want http://www.example.com/secure/ to always be sent over SSL (I presume here that both the normal and the SSL vhost have the same content). You could do this by linking to the correct page from within your HTML pages... but there will always be some user who will sneak by it that way. 

Using virtual hosts (using redirect)

When using SSL, you will frequently have at least two virtual hosts: one on port 80 to serve ordinary requests, and one on port 443 to serve SSL. If you wish to redirect users from the non-secure site to the SSL site, you can use an ordinary Redirect directive inside the non-secure VirtualHost:


NameVirtualHost *:80
<VirtualHost *:80>
   ServerName mysite.example.com
   DocumentRoot /usr/local/apache2/htdocs
   Redirect permanent /secure https://mysite.example.com/secure

<VirtualHost _default_:443>
   ServerName mysite.example.com
   DocumentRoot /usr/local/apache2/htdocs
   SSLEngine On
# etc...

When redirecting everything you don't even need a DocumentRoot:

NameVirtualHost *:80
<VirtualHost *:80>
   ServerName www.example.com
   Redirect permanent / https://secure.example.com/

<VirtualHost _default_:443>
   ServerName secure.example.com
   DocumentRoot /usr/local/apache2/htdocs
   SSLEngine On
# etc...

Note: redirect can also be used inside .htaccess files or to address particular URLs, as in:

Last update:
20-01-2016 12:47
Karl Hudgell
Average rating:0 (0 Votes)

You cannot comment on this entry

Chuck Norris has counted to infinity. Twice.

Latest FAQs RSS

  1. Clone theme config (12-07-2019 15:47)
  2. Simple Cheap LED Control (29-04-2019 13:26)
  3. Freeing disk space on your Linux server (20-04-2019 12:48)
  4. Dockerized Download VM (30-01-2019 20:26)
  5. Jmeter + Performance Plugin + Jenkins Pipeline (16-02-2018 12:49)