<p>Setting up an SSL secured Webserver with CentOS</p><p>Contents</p><p><strong>Getting the required software</strong></p><p><strong>Generate a self-signed certificate</strong></p><p><strong>Setting up the virtual hosts</strong></p><p><strong>Configuring the firewall</strong></p><p>This guide will explain how to set up a site over https. The tutorial uses a self signed key so will work well for a personal website or testing purposes. This is provided as is so proceed at your own risk and take backups!</p><p>1. Getting the required software</p><p>For an SSL encrypted web server you will need a few things. Depending on your install you may or may not have OpenSSL and mod_ssl, Apache's interface to OpenSSL. Use yum to get them if you need them.</p><p>yum install mod_ssl openssl</p><pre class="brush:bash;toolbar:false">Yumwilleithertellyoutheyareinstalledorwillinstallthemforyou.</pre><p>2. Generate a self-signed certificate</p><p>Using OpenSSL we will generate a self-signed certificate. If you are using this on a production server you are probably likely to want a key from a Trusted Certificate Authority, but if you are just using this on a personal site or for testing purposes a self-signed certificate is fine. To create the key you will need to be root so you can either su to root or use sudo in front of the commands</p><pre class="brush:bash;toolbar:false">#Generateprivatekey
opensslgenrsa-outca.key2048
#GenerateCSR
opensslreq-new-keyca.key-outca.csr
#GenerateSelfSignedKey
opensslx509-req-days365-inca.csr-signkeyca.key-outca.crt
#Copythefilestothecorrectlocations
cpca.crt/etc/pki/tls/certs
cpca.key/etc/pki/tls/private/ca.key
cpca.csr/etc/pki/tls/private/ca.csr</pre><p>WARNING: Make sure that you copy the files and do not move them if you use SELinux. Apache will complain about missing certificate files otherwise, as it cannot read them because the certificate files do not have the right SELinux context.</p><p>If you have moved the files and not copied them, you can use the following command to correct the SELinux contexts on those files, as the correct context definitions for /etc/pki/* come with the bundled SELinux policy.</p><p>restorecon -RvF /etc/pki</p><p>Then we need to update the Apache SSL configuration file</p><pre class="brush:bash;toolbar:false">vi+/SSLCertificateFile/etc/httpd/conf.d/ssl.conf</pre><p>Change the paths to match where the Key file is stored. If you've used the method above it will be</p><pre class="brush:bash;toolbar:false">SSLCertificateFile/etc/pki/tls/certs/ca.crt</pre><p>Then set the correct path for the Certificate Key File a few lines below. If you've followed the instructions above it is:</p><pre class="brush:bash;toolbar:false">SSLCertificateKeyFile/etc/pki/tls/private/ca.key</pre><p>Quit and save the file and then restart Apache</p><p>/etc/init.d/httpd restart<br/></p><p>All being well you should now be able to connect over https to your server and see a default Centos page. As the certificate is self signed browsers will generally ask you whether you want to accept the certificate.</p><p>3. Setting up the virtual hosts</p><p>Just as you set VirtualHosts for http on port 80 so you do for https on port 443. A typical VirtualHost for a site on port 80 looks like this</p><pre class="brush:bash;toolbar:false"><VirtualHost*:80>
<Directory/var/www/vhosts/yoursite.com/httpdocs>
AllowOverrideAll
</Directory>
DocumentRoot/var/www/vhosts/yoursite.com/httpdocs
ServerNameyoursite.com
</VirtualHost></pre><p>To add a sister site on port 443 you need to add the following at the top of your file</p><p>NameVirtualHost *:443<br/></p><p>and then a VirtualHost record something like this:</p><pre class="brush:bash;toolbar:false"><VirtualHost*:443>
SSLEngineon
SSLCertificateFile/etc/pki/tls/certs/ca.crt
SSLCertificateKeyFile/etc/pki/tls/private/ca.key
<Directory/var/www/vhosts/yoursite.com/httpsdocs>
AllowOverrideAll
</Directory>
DocumentRoot/var/www/vhosts/yoursite.com/httpsdocs
ServerNameyoursite.com
</VirtualHost></pre><p>Restart Apache again using</p><p>/etc/init.d/httpd restart</p><p>4. Configuring the firewall</p><p>You should now have a site working over https using a self-signed certificate. If you can't connect you may need to open the port on your firewall. To do this amend your iptables rules:</p><pre class="brush:bash;toolbar:false">iptables-AINPUT-ptcp--dport443-jACCEPT
/sbin/serviceiptablessave
iptables-L-v</pre>