Technology

The Ultimate Guide to Secure Apache with SSL Certificate on CentOS 8

With the sharp increase in cybercrime, governments and other regulatory authorities have placed a high degree of reliance on the HTTPS protocol, activated by the SSL Certificate. Particularly, when it comes to protecting personal and sensitive user data from credential stealing, man-in-the-middle attacks, and other forms of network-based security breaches.

Certain classes of website owners must install the SSL certificate. This includes websites accepting online payments and all other websites that are used in the European Union region. Hence, Webmasters can no longer undermine TLS or SSL Certificates’ power when it comes to enhancing network security.

The HTTPS, an advanced version of the HTTP protocol, achieves this by encrypting communication between the server and the client. It thereby allows secure data transmission by minimizing the possibilities of data sniffing and an unauthorized interception. Every website owner’s responsibility is to ensure that an active and functional TLS/SSL Certificate is installed on its website to protect their visitors’ best interests.

However, doing this may seem a little bit complex, depending on the technologies you choose to use. For example, if you use a system that runs on CentOS and wishes to use the Apache webserver, it will not be a cakewalk. So, to make that a seamless experience, we shall now discuss how you can install an SSL on your Apache web server, using a centOS machine.

Ø Steps of installing a self-signed SSL Certificate on CentOS

To install a self-signed SSL Certificate on the Apache webserver through your CentOS system, you need to start with installing the right modules. Therefore, you must have all the necessary administrative rights to run the sudo commands. Below is a 3-step guide through to easily install the TLS/SSL to encrypt your website.

Step 1: Install the necessary packages.

The first step involved in setting up the SSL certificate is to create the right environment by installing the necessary utilities.

To create an HTTPS server, start by installing the following package:

sudo yum install https

It would help if you then had the Apache webserver module installed using the below command:

sudo yum install mod_ssl

Finally, you need to install the OpenSSL package, which is essential for generating the SSL certificate. Do that using the following command:

sudo yum install OpenSSL

Step 2 – Configure the Apache Webserver 

Now that you have installed the necessary packages and created the right environment, its time to generate the SSL. So, activate and verify Apache with the following commands one by one:

sudo systemctl start https

sudo systemctl enable https

sudo systemctl status https

The first command starts the Apache webserver. The next one configures the Apache webserver to start whenever the system boots. The third one is to confirm the status of your Apache webserver.

Step 3 – Configure the ports.

Use the following command one after the other to set the ports:

sudo firewall-cmd – –permanent – –add-port=80/TCP

sudo firewall-cmd – –permanent – –add-port=443/TCP

sudo firewall-cmd – –reload

Step 4 – Configure the SSL

Now that your Apache web server is up and running, its time to configure the SSL certificate by adding relevant details such as the standard for the public key infrastructure, security, validity, and more.

To start configuring all of that, use the following command:

sudo openssl req -x509 -nodes -days 90 -newkey rsa:2048 -keyout /etc/pki/tls/private/apache-selfsigned.key -out /etc/pki/tls/certs/apache-selfsigned.crt

You will then be prompted to enter specific details, and you can do that by modifying the above command according to your requirements. The above command indicates that the x509 public key infrastructure is used. The validity of the certificate is 90 days, the length of the RSA key is 2048 bits, placement of the private key file, and the certificate.

A point to note is that you need to keep the validity of a self-signed SSL Certificate less than or equal to 365 days. This helps avoid the risk of the certificate being marked insecure by the browser.

You might then have to fill in data, as shown below:

Country Name (2 letter code) [XX]:FR

State or Province Name (full name) []:Brittany

Locality Name (e.g., city) [Default City]:Rennes 

Organization Name (e.g., company) [Default Company Ltd]:Rockstar Inc

Organizational Unit Name (e.g., section) []:HR Dept

Common Name (eg, your name or your server’s hostname) []:your_domain_or_ip_address

Email Address []:[email protected]

You can find the two-letter country codes here, and the rest of the data can be altered accordingly.

Step 5 – Tell Apache about your SSL Certificate’s Status

Now that you have the SSL ready, it’s time to tell Apache webserver about that by updating it on the latest happenings. You can configure this by creating a file in the ‘/etc/https/conf.d’ directory.

To do that, use the below command:

sudo vi /etc/httpd/conf.d/enter_your_domainname_or_ipaddress.conf 

Next, configure the VirtualHost file with the following command:

<VirtualHost *:443>

   ServerName your_ domainname_or_ipaddress

   DocumentRoot /var/www/ssl-test

   SSLEngine on

   SSLCertificateFile /etc/pki/tls/certs/apache-selfsigned.crt

   SSLCertificateKeyFile /etc/pki/tls/private/apache-selfsigned.key

</VirtualHost>

Finally, it is time to reload Apache, and you can do that with the following command:

sudo systemctl reload https

With that, you have installed an SSL certificate on your Apache web server using CentOS. However, you need to know that self-signed certificates might be free but aren’t the best option available.

We strongly recommend buying an SSL certificate that is duly signed and issued by a well-known certifying authority. This avoids the possibility of your website being flagged by browsers because OS and browsers seldom recognize self-signed SSL. That is not the case when you get one signed by a renowned CA because most browsers and OS come pre-installed with the public keys of reputed certifying authorities.

Back to top button
SoundCloud To Mp3