An SSL certificate is an electronic ‘document’ that is used to bind together a public security key and a website’s identity information (such as name, location, etc.) by means of a digital signature. The ‘document’ is issued by a certificate provider such as GlobalSign, Verisign, GoDaddy, Comodo, Thawte, and others. For more information, visit the article
In this article, we’re going to be covering how to create a self-signed SSL certificate and assign it to a domain in Apache. Self-signed SSL certificates add security to a domain for testing purposes but are not verifiable by a third-party certificate provider.
These instructions are intended for creating a self-signed SSL certificate and assigning it to a domain in Apache.
I’ll be working from an iaas Core Managed CentOS 6.5 server and I’ll be logged in as root.
Step #1: View Loaded Apache Modules, Load SSL if Necessary
First, let’s view whether Apache 2 already has the SSL module loaded using information from our article on apachectl -M | grep ssl
The module is already loaded if the result of the above command is:
ssl_module (shared)
If it is not loaded, then it is possible that mod_ssl is not installed. Install mod_ssl:
yum -y install mod_ssl
And now we’ll restart Apache:
service HTTP restart
Step #2: Setup the Environment and Create the Self-signed SSL Certificate
Make a directory in order to store the certificate and the server key:
mkdir /etc/https/SSL
Generate the SSL via OpenSSL with the following command:
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/httpd/ssl/apache.key -out /etc/httpd/ssl/apache.crt
The above command will generate a 2048 -bit private key and corresponding CSR that remains valid for 365 days and place those files into the new directory. The output of the above command will result in the following of which you’ll need to answer a few questions:
Generating a 2048 bit RSA private key
………………………………………………..+++
……………..+++
writing new private key to ‘/etc/httpd/SSL/apache.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields, there will be a default value.
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:Michigan
Locality Name (eg, city) [Default City]:Lansing
Organization Name (eg, company) [Default Company Ltd]:iaas
Organizational Unit Name (eg, section) []:KB
Common Name (eg, your name or your server’s hostname) []:kb.thebestfakedomainnameintheworld.com
Email Address []:[email protected]
Tip: It is very important that the Common Name be set appropriately. Enter your fully qualified domain name (FQDN) here or if you don’t have an FQDN, then your site’s IP address.
Step #3: Add the Self-signed SSL Certificate to Apache
Now that the private key and associated CSR have been generated, we need to edit the SSL configuration file for Apache:
vim /etc/httpd/conf.d/ssl.conf
Find the section:
VirtualHost _default_:443
And add the following Virtual Host configuration on the next line:
ServerName kb.thebestfakedomainnameintheworld.com:443
Be sure to replace
kb.thebestfakedomainnameintheworld.com with your fully qualified domain name or server IP address for your Virtual Host. Keep in mind that the domain should be the same as the common name specified in the previous step.
Verify that the following variables are set appropriately in the same file:
SSLEngine on
SSLCertificateFile /etc/httpd/ssl/apache.crt
SSLCertificateKeyFile /etc/httpd/ssl/apache.key
Then exit and save the file with the command :wq .
Step #4: Restart Apache
Then restart Apache once more:
service https restart