Introduction
SSL certificates are small data files that certify ownership of a public cryptographic key. Certification authorities (CAs) ensure that the key belongs to an organization, server, or other entity listed in the certificate.
When a user, through their browser, accesses a certified website, the information is encrypted with a unique public key. Data can only be decrypted using a unique private key located on the host server. This high level of encryption prevents unauthorized attempts to access information.
In this tutorial, learn how to install an SSL certificate on CentOS 7.
prerequisites
A
- user with sudo privileges
- Accessing a command line (Ctrl-Alt-T)A
- CentOS 7 machine
- A valid domain name with DNS pointing to the server
How to get an SSL
certificate
There are several ways to obtain certificates:
- Use a free, automated certificate authority like the Let’s Encrypt project.
- Commercial certificate authorities provide certificates for a fee (Comodo, DigiCert, GoDaddy)
- Alternatively, it is possible to create a self-signed certificate. This type of certificate is useful for testing purposes or for use in a development environment.
If you’re still considering what type of certificate you need or which CA to choose, we’ve prepared a comprehensive guide to SSL certificates, private keys, and CSRs to help you through the process.
Install SSL certificate with Let’s
Encrypt
Let’s Encrypt is a free, open and automated certificate authority. Use the certbot software tool to manage certificates automatically.
Certbot is a highly automated tool. Make sure your Apache installation is valid and that you have a virtual host configured for your domain(s). You should first read our tutorial on how to install Apache on CentOS 7 if you need help setting up your firewall and virtual hosts.
Installing Certbot
1. Use the command terminal to install the EPEL repository and yum-utils: sudo yum -y install epel-release yum-utils
2. Next, install a module that supports SSL for Apache:
sudo yum -y install mod_ssl
In this example, the latest version of the module is already available
. 3. Now we can install certbot for Apache: sudo yum -y
install python-certbot-apache
4. Once the installation is ongoing, you can start the process to get a certificate by entering
: sudo certbot -apache -d yourdomain.com
Alternatively, start certbot by typing: sudo certbot
5. The customer asks you to provide an email address and to read and accept the Terms of Service. Certbot then lists the domains available on your server. Enable HTTPS for specific domains or all of them by leaving the field blank.
The following message allows you to force all requests to secure HTTPS access.
Once you have made your choices, the message in the terminal confirms that you have enabled encryption for your domain.
Automatic certificate renewal
Certificates issued by Let’s Encrypt are valid for 90 days. The certbot renew command checks installed certificates and attempts to renew them if they are less than 30 days away from expiration. To automate this process, create a cron job to run the command periodically.
Use your preferred text editor to define how often to run
the renew command: sudo crontab -e
Enter this line and save the crontab:
* * / 12 * * * / usr / bin / certbot renew > / dev / null 2>&1
How to install SSL certificate with Comodo
1. The first step is to submit a certificate signing request to a CA. Our detailed guide on how to generate a certificate signing request (CSR) with OpenSSL is a great resource if you need help with this process.
2. Once a CA certifies your request, you will receive a copy of your SSL certificate. You can now install the certificate on your CentOS 7 server.
This example shows how to install a certificate from a payment SSL provider, Comodo.
3. Once Comodo verifies your CSR request, download the SSL files. Copy them (ComodoRSACA.crt) and the primary certificate (yourdomain.crt), to the Apache server directory. The private key generated during the CSR (Certificate Signing Request) process must be on the same server.
Configure Virtual Hosts for SSL
Aftr You have successfully certified the domain and placed the key files on the server, the next step will be to configure the virtual hosts to display the certificate
.
1. Access the SSL configuration file:
sudo nano /etc/httpd/conf.d/ssl.conf
2. Edit the configuration file to point to the correct files on the server.
Uncomment the following lines in section <VirtualHost_default_:443> and enter the correct file paths
:
- DocumentRoot “/var/www/yourdomain.com”
- ServerName yourdomain.com: 443
- SSLEngine on
- SSLCertificateKeyFile: The path of
- the key file.
- SSLCertificateChainFile– The intermediate COMODO certificate file.
SSLCertificateFile: The path of the certificate file.
3. After making the necessary changes, exit the file (Ctrl + X) and press y to save the changes.
4. Test your Apache configuration before rebooting. Make sure the syntax is correct by typing:
sudo apachectl configtest
5. Once the system confirms that the syntax is correct, restart Apache:
sudo systemctl restart httpd
You have now configured your Apache server to use the
SSL certificate. How to create a self-signed
SSL certificate A self-signed certificate
is useful for testing, in development environments, and on an intranet
.
1. As with Let’s Encrypt, the Apache mod_ssl module provides support for SSL encryption:
sudo yum -y install mod_ssl
2. Create a new directory to store the private key:
sudo mkdir /etc/ssl/privatekey
3. Restrict access to that directory to the root user only:
sudo chmod 700 /etc/ssl/privatekey
4. Generate a self-signed certificate using this
OpenSSL command: sudo openssl req -x509 -new -newkey rsa:2048 -nodes -days 365 -keyout /etc/ssl/privatekey/ yourdomain.key -out /etc/ssl/certs/yourdomain.csr
This is a detailed description of the elements:
- openssl – activates OpenSSL software req
- indicates that we require a CSR-x509 – specifies to use the X.509-new
- signing request -newkey
- 2048-bit RSA math
- no DES, which means you do not encrypt the private key in a PKCS file#12 days-365- number of days the certificate is valid for keyout – indicates the domain for which you are generating a key –
- specifies the name of the file containing the CSR
–
– generate a new RSA:2048 key – generate a
key –
5. The system launches a questionnaire for you to complete.
Enter your information in the available fields
: Country name:
- Use a 2-letter country code
- State
- An entity that owns the domain
- Organizational Unit Name : The department or group in your organization that works with certificates
- Common name: Most of the time, the fully qualified domain name (FQDN)
- Contact email address
- Challenge password: Define an optional password for your key pair
: The state in which the domain owner is incorporated Location: The city in which the domain owner is incorporated Organization Name:
Email address:
The
image represents a sample questionnaire on CentOS 7
.
6. Proceed to configure the virtual host to display the new certificate. The process is identical to the steps described in Chapter 2, Configuring Virtual Hosts for SSL.
7. Test your Apache configuration before rebooting. To ensure that the syntax is correct, type:
sudo apachectl configtest
8. Once the system confirms that the syntax is correct, restart Apache:
sudo systemctl restart httpd
You have now configured your Apache server to use your self-signed SSL certificate and should be able to visit your site with SSL enabled. How to
check if an SSL certificate is valid
? To check if an SSL certificate is
valid, you can publicly available services, such as SSL server testing. Confirm the status of your certificate and check if all the details are correct.
Alternatively, access your website using https:// to see if the SSL certificate is visible. The green padlock indicates that the additional layer of encryption is present.
Conclusion By
following these instructions, you have secured traffic on your CentOS Linux distribution website by implementing an
SSL certificate.
Its new SSL certificate ensures that all data passing between the web server and browsers remains private and secure.
