How to Create Self-Signed SSL Certificates and Keys for Apache on RHEL/CentOS 7.0

SSL (Secure Sockets Layer) is a cryptographic protocol that allows secure data flow between a server and its clients using symmetric/asymmetric keys by using a digital certificate signed by a Certificate Authority (CA).

Enable HTTPS for Apache on CentOS

Create SSL Certificates for Apache

Requirements

  1. Basic LAMP Installation on RHEL/CentOS 7.0

This tutorial provides an approach on how to set up Secure Sockets Layer (SSL) communication cryptographic protocol on Apache Web Server installed in Red Hat Enterprise Linux/CentOS 7.0, and generate self-signed Certificates and Keys with the help of a bash script which greatly simplifies the entire process.

Step 1: Install and Configure Apache SSL

1. To enable SSL on Apache HTTP Server use the following command to install SSL Module and OpenSSL tool-kit which is needed for SSL/TLS support.

# yum install mod_ssl openssl
Install SSL Module in CentOS

Install SSL Module

2. After SSL module has been installed, restart HTTPD daemon and add a new Firewall rule to ensure that SSL port – 443 – it’s opened to outside connections on your machine in listen state.

# systemctl restart httpd
# firewall-cmd --add-service=https   ## On-fly rule

# firewall-cmd --permanent  --add-service=https   ## Permanent rule – needs firewalld restart
Restart Apache Service on CentOS

Restart Apache Service

3. To test SSL connection, open a remote browser and navigate to your server IP address using HTPS protocol on https://server_IP.

Test Https Connections on Apache

Test SSL Connection

Step 2: Create SSL Certificates and Keys

4. The previous SSL communication between the server and client was done using a default Certificate and Key automatically generated on installation. In order to generate new private keys and self-signed certificates pairs create the following bash script on a executable system path ($PATH).

For this tutorial /usr/local/bin/ path was chosen, make sure the script has executable bit set and, then, use it as a command to create new SSL pairs on /etc/httpd/ssl/ as Certificates and Keys default location.

# nano /usr/local/bin/apache_ssl

Use the following file content.

#!/bin/bash
mkdir /etc/httpd/ssl
cd /etc/httpd/ssl

echo -e "Enter your virtual host FQDN: \nThis will generate the default name for Apache SSL Certificate and Key!"
read cert

openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out $cert.key
chmod 600 $cert.key
openssl req -new -key $cert.key -out $cert.csr
openssl x509 -req -days 365 -in $cert.csr -signkey $cert.key -out $cert.crt

echo -e " The Certificate and Key for $cert has been generated!\nPlease link it to Apache SSL available website!"
ls -all /etc/httpd/ssl
exit 0
Create Self-Signed Certificates on CentOS

Create Self-Signed Certificates and Keys

5. Now make this script executable and launch it to generate a new pair of Certificate and Key for your Apache SSL Virtual Host.

Fill it with your information and pay attention to Common Name value to match your server FQDN or in case of Virtual Hosting to match the Web address you will be accessing when connecting to a secure website.

# chmod +x /usr/local/bin/apache_ssl
# apache_ssl
Enter SSL Information

Enter SSL Information

6. After the Certificate and Key are generated, the script will present a long listing of all your Apache SSL pairs stored in /etc/httpd/ssl/ location.

Apache SSL Pairs

Apache SSL Pairs

7. Other approach on generating SSL Certificates and Keys is by installing crypto-utils package on your system and generate pairs using genkey command, which can impose some problems especially when used on a Putty terminal screen.

So, I suggest to use this method only when you are directly connected to a screen monitor.

# yum install crypto-utils
# genkey your_FQDN
Install Crypto in Ubuntu

Install Crypto Package

8. To add the new Certificate and Key to your SSL website, open your website configuration file and replace SSLCertificateFile and SSLCertificateKeyFile statements with the new pairs location and names accordingly.

Enable SSL On Apache VirtualHosts

Enable SSL On VirtualHosts

9. If the Certificate is not issued by a trusted CA – Certification Authority or the hostname from certificate does not match the hostname who establish the connection, an error should appear on your browser and you must manually accept the certificate.

SSL Certificate Error

SSL Certificate Error

SSL Enabled on Apache

SSL Enabled on Apache

That’s it! Now you can use apache_sslas a command line on RHEL/CentOS 7.0 to generate as many pairs of self-signed Certificates and Keys you need, and all will be kept on /etc/httpd/ssl/ path with the Key file protected with 700 permissions.

If You Appreciate What We Do Here On TecMint, You Should Consider:

TecMint is the fastest growing and most trusted community site for any kind of Linux Articles, Guides and Books on the web. Millions of people visit TecMint! to search or browse the thousands of published articles available FREELY to all.

If you like what you are reading, please consider buying us a coffee ( or 2 ) as a token of appreciation.

Support Us

We are thankful for your never ending support.

Matei Cezar

I'am a computer addicted guy, a fan of open source and linux based system software, have about 4 years experience with Linux distributions desktop, servers and bash scripting.

Your name can also be listed here. Got a tip? Submit it here to become an TecMint author.

RedHat RHCE and RHCSA Certification Book
Linux Foundation LFCS and LFCE Certification Preparation Guide

You may also like...

3 Responses

  1. Yahoo says:

    WOW just what I was looking for. Came here by searching for create ssl certificates

  2. guust says:

    remove the previous message my mistake I forgot the chmod for the file.

  3. guust says:

    Hi I did try the ‘apache_ssl’ script but nothing happens.

    Question: is there a option for error logging in the script?

Got something to say? Join the discussion.

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.