Configuring Apache with SSL\/TLS Certificates on CentOS 8<\/h2>\n\n\n\nRun System Update<\/h3>\n\n\n\n
Update your system package by executing;<\/p>\n\n\n\n
dnf update<\/code><\/pre>\n\n\n\nInstall Apache and SSL\/TLS module on CentOS 8<\/h3>\n\n\n\n
Apache HTTP server is provided by the httpd<\/strong> package while mod_ssl<\/code><\/strong> packages provides the Apache SSL\/TLS module. Both packages can be installed by running;<\/p>\n\n\n\ndnf install httpd mod_ssl<\/code><\/pre>\n\n\n\nRunning Apache<\/h4>\n\n\n\n
Start and enable Apache to run on system boot.<\/p>\n\n\n\n
systemctl enable --now httpd<\/code><\/pre>\n\n\n\nAllow HTTPS on Firewall<\/h4>\n\n\n\n
To allow external access to Apache over HTTPS, open 443 (HTTPS) depending on the traffic to server.<\/p>\n\n\n\n
In this guide, since we configuring Nginx to the TLS certificates, we are opening port 443\/tcp.<\/p>\n\n\n\n
firewall-cmd --add-port=443\/tcp --permanent<\/code><\/pre>\n\n\n\nIf you are looking at redirecting the HTTP traffic to HTTPS, open port 80 too.<\/p>\n\n\n\n
firewall-cmd --add-port=80\/tcp --permanent<\/code><\/pre>\n\n\n\nfirewall-cmd --reload<\/code><\/pre>\n\n\n\nGenerate SSL\/TLS Certificates<\/h3>\n\n\n\n
There are multiple options to choose from when you want to secure Apache with SSL\/TLS certificates.<\/p>\n\n\n\n
\n- You can use self-signed certificates for test purposes.<\/li>\n\n\n\n
- You can order for a commercially trusted server certificate from your preferred CA<\/li>\n\n\n\n
- You can use the free<\/strong>, automated<\/strong>, and open<\/strong> CA, Let’s Encrypt<\/a>.<\/li>\n<\/ul>\n\n\n\n
Well, in this guide, we are using the first option of self-signed SSL\/TLS certificates for demonstration purposes.<\/p>\n\n\n\n
So how do you generate the self-signed SSL\/TLS certificates on CentOS 8? Openssl command is used to generate the SSL\/TLS certificates as shown below;<\/p>\n\n\n\n
openssl req -newkey rsa:4096 -nodes -keyout \/etc\/pki\/tls\/private\/kifarunix-demo<\/strong>.key -x509 -days 365 -out \/etc\/pki\/tls\/certs\/kifarunix-demo<\/strong>.crt<\/code><\/pre>\n\n\n\nSo what are the openssl command line options used above?<\/p>\n\n\n\n
\nreq<\/strong><\/code>: It is used to create CSR as well as the self signed certificates.<\/li>\n\n\n\n-newkey rsa:4096<\/code><\/strong>: This option creates a new certificate request and a 4096 bits RSA key at the same time.<\/li>\n\n\n\n-nodes<\/code><\/strong>: When this option is specified then if a private key is created it will not be encrypted.<\/li>\n\n\n\n-keyout<\/code><\/strong> \/etc\/pki\/tls\/private\/kifarunix-demo.key<\/code><\/strong>: Writes the newly created private key to the specified filename. Replace the filename accordingly.<\/li>\n\n\n\n-x509<\/code><\/strong>: This option outputs a self signed certificate instead of a certificate request.<\/li>\n\n\n\n-days 365<\/code><\/strong>: Used to specify the validity period for the self signed certificate generated. This therefore is valid for 365 days.<\/li>\n\n\n\n-out \/etc\/pki\/tls\/certs\/kifarunix-demo.crt<\/code><\/strong>: Specifies the output filename to write the self signed certificate to.<\/li>\n<\/ul>\n\n\n\nWhen the command runs, you are prompted to provide certificate identification details such the Country Name<\/strong> of your organization, the State<\/strong>, the Locality<\/strong>, the name of Organization<\/strong>, the Organization Unit<\/strong>, the Common Name<\/strong> (This is the most important detail), optional email.<\/p>\n\n\n\nYou can as well be able to provide these details on the command line using the -subj<\/code><\/strong> option of the openssl-req<\/code><\/strong> command as shown below;<\/p>\n\n\n\n-subj \"\/C=CN<\/strong>\/ST=STATE<\/strong>\/L=CITY<\/strong>\/O=ORG NAME<\/strong>\/OU=Department<\/strong>\/CN=DOMAIN_NAME<\/strong>\/emailAddress=name@domain<\/strong>\"<\/code><\/pre>\n\n\n\nFor example to generate a self-signed SSL\/TLS certificate for the domain, kifarunix-demo.com and all its sub-domains (Common name will be written as *.kifarunix-demo.com<\/strong>), you can openssl-req command as;<\/p>\n\n\n\n(Replace the domain names accordingly)<\/p>\n\n\n\n
openssl req -newkey rsa:4096 -nodes -keyout \/etc\/pki\/tls\/private\/kifarunix-demo<\/strong>.key -x509 -days 365 -out \/etc\/pki\/tls\/certs\/kifarunix-demo<\/strong>.crt \\\n-subj<\/strong> \"\/C=US\/ST=Oregon\/L=Springfield\/O=kifarunix-demo\/OU=IT\/CN=*.kifarunix-demo.com\/emailAddress=admin@kifarunix-demo.com\"<\/code><\/pre>\n\n\n\nWell, there you go. Your private key has been written to \/etc\/pki\/tls\/private\/<\/code>kifarunix-demo<\/code><\/strong>.key<\/code> while your certificate has been written to \/etc\/pki\/tls\/certs\/<\/code>kifarunix-demo<\/code><\/strong>.crt<\/code>.<\/p>\n\n\n\nWell, want to use commercially signed certificates? Generate the CSR and submit it to your favourite CA to order for trusted certificates.<\/p>\n\n\n\n
The command below can get you a CSR. Make due substitution.<\/p>\n\n\n\n
openssl req -new -newkey rsa:4096 -nodes -keyout domain.key -out domain.csr \\\n-subj \"\/C=CN<\/strong>\/ST=STATE<\/strong>\/L=CITY<\/strong>\/O=ORG NAME<\/strong>\/OU=Department<\/strong>\/CN=DOMAIN_NAME<\/strong>\/emailAddress=name@domain<\/strong>\"<\/code><\/pre>\n\n\n\nBe sure to keep the key safe as you will need when installing the certificates.<\/p>\n\n\n\n
Configure Apache to Use SSL\/TLS Certificates<\/h3>\n\n\n\n
Now that you have your SSL\/TLS private key and certificate (sel-signed in this case), proceed to configure Apache to use them.<\/p>\n\n\n\n
Open Apache SSL configuration file for editing.<\/p>\n\n\n\n
vim \/etc\/httpd\/conf.d\/ssl.conf<\/code><\/pre>\n\n\n\nApart from installing the SSL\/TLS certificates, there are some ciphers provided by Cipherli.st<\/a> that aims to provide Strong SSL Security for all modern browsers. We will also add these ciphers to Apache SSL configuration.<\/p>\n\n\n\nIn this guide, we are making changes to the default SSL virtual host configuration.<\/p>\n\n\n\n
## Redirect HTTP Traffic to HTTPS\n<VirtualHost *:80>\n DocumentRoot \/var\/www\/html\n ServerName centos8.kifarunix-demo.com\n RewriteEngine On\n RewriteCond %{HTTPS} off\n RewriteRule ^(.*)$ https:\/\/%{HTTP_HOST}%{REQUEST_URI} [R=301,L]\n<\/VirtualHost>\n\n## Begin SSL configuration\n\nListen 443 https\nSSLPassPhraseDialog exec:\/usr\/libexec\/httpd-ssl-pass-dialog\nSSLSessionCache shmcb:\/run\/httpd\/sslcache(512000)\nSSLSessionCacheTimeout 300\nSSLCryptoDevice builtin\n\n\n<VirtualHost _default_:443>\nErrorLog logs\/ssl_error_log\nTransferLog logs\/ssl_access_log\nLogLevel warn\nSSLEngine on\nSSLProtocol -all +TLSv1.3 +TLSv1.2\nSSLOpenSSLConfCmd Curves X25519:secp521r1:secp384r1:prime256v1\nSSLHonorCipherOrder on\nSSLCipherSuite EECDH+AESGCM:EDH+AESGCM\nSSLCertificateFile \/etc\/pki\/tls\/certs\/kifarunix-demo.crt\nSSLCertificateKeyFile \/etc\/pki\/tls\/private\/kifarunix-demo.key\n<FilesMatch \"\\.(cgi|shtml|phtml|php)$\">\n SSLOptions +StdEnvVars\n<\/FilesMatch>\n<Directory \"\/var\/www\/cgi-bin\">\n SSLOptions +StdEnvVars\n<\/Directory>\nBrowserMatch \"MSIE [2-5]\" \\\n nokeepalive ssl-unclean-shutdown \\\n downgrade-1.0 force-response-1.0\nCustomLog logs\/ssl_request_log \\\n \"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \\\"%r\\\" %b\"\nHeader always set Strict-Transport-Security \"max-age=63072000; includeSubDomains; preload\"\nHeader always set X-Frame-Options DENY\nHeader always set X-Content-Type-Options nosniff\nSSLCompression off\n#SSLUseStapling on\n#SSLStaplingCache \"shmcb:logs\/stapling-cache(150000)\"\nSSLSessionTickets Off\n<\/VirtualHost><\/code><\/pre>\n\n\n\nThe Online Certificate Status Protocol (OCSP<\/em>) stapling is disabled since we are using self-signed certificates.<\/p>\n\n\n\nSave the configuration file and check for any configuration syntax.<\/p>\n\n\n\n
apachectl configtest<\/code><\/pre>\n\n\n\nor<\/p>\n\n\n\n
httpd -t<\/code><\/pre>\n\n\n\nSyntax OK<\/code><\/pre>\n\n\n\nCreate sample Apache test page on the default root directory;<\/p>\n\n\n\n
vim \/var\/www\/html\/index.html<\/code><\/pre>\n\n\n\n<!DOCTYPE html>\n<html>\n<body>\n<h1>centos8.kifarunix-demo.com<\/h1>\n<p>Configuring Apache to use SSL\/TLS certificates on CentOS 8<\/p>\n<\/body>\n<\/html><\/code><\/pre>\n\n\n\nRunning Apache with SSL\/TLS enabled<\/h3>\n\n\n\n
You can now restart Apache to effect the changes.<\/p>\n\n\n\n
systemctl restart httpd<\/code><\/pre>\n\n\n\nTesting Apache SSL\/TLS configuration<\/h3>\n\n\n\n
It is now time to test whether Apache is able to server HTTPS requests as well as redirect HTTP traffic to HTTPS traffic. Access it using the server’s IP address of hostname, https:\/\/server-IP-or-Hostname<\/strong>.<\/p>\n\n\n\n![\"Configure](\"https:\/\/kifarunix.com\/wp-content\/uploads\/2019\/11\/apache-https.png\" "\\"\\"")
<\/a><\/figure>\n\n\n\nEven if you try with http:\/\/server-IP-or-Hostname<\/strong>, it will be redirected to HTTPS.<\/p>\n\n\n\nRelated Tutorials<\/h3>\n\n\n\n
Install Redmine with Apache and MariaDB on CentOS 8<\/a><\/p>\n\n\n\nInstall Apache with Self-signed Certificate on FreeBSD 12<\/a><\/p>\n\n\n\nInstall phpMyAdmin with Apache on Fedora 30<\/a><\/p>\n\n\n\n