In this process, we will learn how to add a secure connection to the Apache web server by creating a self-signed SSL certificate using OpenSSL. This is often a requirement for web servers if the sites running on them transfer sensitive data such as credit card or login information from the web browser to the server. In a previous process, you were shown how to install the Apache web server, and with the growing demand for secure connections, it is the purpose of this process to show you how to enhance your current server configuration by teaching you how to extend the features of the Apache web server.
To Start With: What Do You Need?
To complete this process, you will require a working installation of the CentOS 7 operating system with root privileges, a console-based text editor of your choice, and a connection to the Internet in order to facilitate the download of additional packages. It is expected that Apache web server has been installed and that it is currently running. Here we will create a new SSL certificate for Apache. If you want to learn more about it, refer to segment Chapter 6, Providing Security for advice on generating self-signed certificates. As a correct domain name is crucial for SSL to work, we will continue naming our Apache web server’s configured domain name centos7.home to make this process work (change it to fit your own needs).
The Process
Apache does not support SSL encryption by default and for this reason, we will begin by installing the necessary package mod_ssl using the yum package manager.
- To begin, log in as root and type the following command:
yum install mod_ssl - During the installation of the mod_ssl package, a self-signed certificate, as well as the key pair for the Apache web server, are generated automatically; these lack a proper common name for your web server’s domain name. Before we can re-generate our own required SSL files using the Makefile in the next steps, we need to delete those files:
rm /etc/pki/tls/private/localhost.key /etc/pki/tls/certs/localhost.crt - We are now required to create our intended self-signed certificate and server key for our Apache web server. To do this, type the following command:
cd /etc/pki/tls/certs - To create the self-signed Apache SSL keypair, consisting of the certificate and its embedded public key as well as the private key, type:
make testcert - In the process of creating the certificate, first you will be asked to enter a new passphrase and then verify it. Afterwards, you need to type it in again for the third time. As usual, enter a secure password. You will then be asked a number of questions. Complete all the required details by paying special attention to the common name value. This value should reflect the domain name of your web server or the IP address the SSL certificate is for. For example, you may type:
www.centos7.home - When the process of creating your certificate is complete, we will proceed by opening the main Apache SSL configuration in the following way (after making a backup):
cp /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/ssl.conf.BAK vi /etc/httpd/conf.d/ssl.conf - Scroll down to the section that begins with <VirtualHost _default_:443> and locate the line # DocumentRoot "/var/www/html" within this block. Then activate it by removing the # character, so it reads:
DocumentRoot "/var/www/html" - Right below, find the line that reads #ServerName www.example.com:443. Activate this line and modify the value shown to match the common name value used during the creation of your certificate, as follows:
ServerName www.centos7.home:443 - Save and close the file, next we need to enable the HTTPS port in our firewalld to allow incoming HTTP SSL connections over port 443:
firewall-cmd --permanent --add-service=https && firewall-cmd --reload - Now restart the Apache httpd service to apply your changes. Note that if prompted you have to enter the SSL passphrase you added when you created the SSL test certificate:
systemctl restart httpd - Well done! You can now visit your server with a secure connection by replacing all the available HTTP URLs we have defined for the server using HTTPS instead. For example, go to
https://www.centos7.home instead of http://www.centos7.home.Note
When you browse to this website, you will get a warning message that the signing certificate authority is not known. This exception is to be expected when using self-signed certificates and can be confirmed.
How Does It Work?
We began the process by installing mod_ssl using the YUM package manager, which is the default Apache module to enable SSL. The next step was then to go to the standard location where all the system’s certificates can be found in CentOS 7, that is, /etc/pki/tls/certs. Here we can find a Makefile, which is a helper script for conveniently generating self-signed SSL test certificates and which hides away complicated command line parameters for the OpenSSL program from you. Remember that the Makefile currently lacks a clean option and therefore every time we run it, we need to delete any old versions of the generated files from a former run manually, otherwise it will not start doing anything. After deleting the old Apache SSL files, we used make with the testcert parameter, which creates self-signed certificates for the Apache web server and puts them in the standard locations, already configured in the ssl.conf file (the SSLCertificateFile and SSLCertificateKeyFile directives), so we didn’t have to change anything here. During the process, you were asked to provide a password before completing a series of questions. Complete the questions but pay special attention to the Common name. As was mentioned in the main process, this value should reflect either the domain name of your server or your IP address. In the next phase, you were required to open Apache’s SSL configuration file in your favorite text editor which can be found at /etc/httpd/conf.d/ssl.conf. In it we enabled the DocumentRoot directive to put it under SSL control and activated the ServerName directive with an expected domain value that must be the same as the one we defined as our common name value. We than saved and closed the configuration file and enabled the HTTPS ports in our firewall, thus allowing incoming connections over the standard HTTPS 443 port. Having completed these steps, you can now enjoy the benefits of a secure connection using a self-signed server certificate. Just type https:// instead of http:// for any URL address available on your Apache web browser. However, if you are intending to use an SSL Certificate on a production server for members of the public, then your best option is to purchase an SSL certificate from a trusted Certificate Authority.
There's more…
We learned that since our SSL certificate is protected by a passphrase, so whenever we need to restart our Apache web server, we need to enter the password. This is impractical for server restarts as Apache will refuse to start without a password. To get rid of the password prompt, we will provide the passphrase in a special file and make sure it is only accessible by root.
- Create a backup of the file that will contain your password:
cp /usr/libexec/httpd-ssl-pass-dialog /usr/libexec/httpd-ssl-passdialog.BAK - Now overwrite this password file with the following content, replacing XXXX in the following command line with your current SSL passphrase:
echo -e '#!/bin/bash\necho "XXXX"' > /usr/libexec/httpd-ssl-passdialog - Finally, change the permissions so that only root can read and execute them:
chmod 500 /usr/libexec/httpd-ssl-pass-dialog
