Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
SlideShare a Scribd company logo

Configuration of Self Signed SSL Certificate For CentOS 8

Kaan Aslandağ
Kaan Aslandağ

This document provides instructions for configuring a self-signed SSL certificate for an Apache web server on CentOS 8. It explains how to install the mod_ssl module, generate a self-signed certificate and key, configure Apache to use the certificate, and set up redirection from HTTP to HTTPS. While self-signed certificates encrypt communication, they do not validate the server identity to browsers and will result in security warnings for users.

1 of 5
Download to read offline
1 CONFIGURATION OF SELF-SIGNED SSL CERTIFICATE FOR CENTOS 8 TLS, or “transport layer security” — and its predecessor SSL — are protocols used to wrap normal traffic in a protected, encrypted wrapper. Using this technology, servers can safely send information to their clients without their messages being intercepted or read by an outside party. Note: A self-signed certificate will encrypt communication between your server and its clients. However, because it is not signed by any of the trusted certificate authorities included with web browsers and operating systems, users cannot use the certificate to automatically validate the identity of your server. As a result, your users will see a security error when visiting your site. Because of this limitation, self-signed certificates are not appropriate for a production environment serving the public. They are typically used for testing, or for securing non-critical services used by a single user or a small group of users that can establish trust in the certificate’s validity through alternate communication channels. For a more production-ready certificate solution, check out Let’s Encrypt, a free certificate authority. You can learn how to download and configure a Let’s Encrypt certificate in our How To Secure Apache with Let’s Encrypt on CentOS 8 tutorial.  Installing “mod_ssl” First, we should install the “mod_ssl” an Apache module that provides support for SSL encryption.  sudo dnf install mod_ssl
2  Creating the SSL Certificate Now that Apache is ready to use encryption, we can move on to generating a new SSL certificate. The certificate will store some basic information about our site, and will be accompanied by a key file that allows the server to securely handleencrypteddata. Wecancreatethe SSLkey and certificate files withthe opensslcommand:  sudoopenssl req -x509 -nodes -days 365 -newkeyrsa:2048 -keyout /etc/pki/tls/private/kaantest.key -out/etc/pki/tls/certs/kaantest.crt Afteryouenterthecommand, youwill be takentoa prompt whereyoucanenter informationabout your website. Beforewe goover that, let’s take a look at what ishappeninginthe commandwe are issuing: - openssl:ThisisthecommandlinetoolforcreatingandmanagingOpenSSLcertificates,keys,andotherfiles. - req -x509: This specifies that we want to use X.509 certificate signing request (CSR) management. X.509 is a public key infrastructure standardthat SSL andTLSadhere to forkey andcertificate management. - -nodes: This tells OpenSSL to skip the optionto secure our certificate with a passphrase. We need Apache tobeabletoreadthefile,withoutuserintervention,whentheserverstartsup.Apassphrasewouldprevent this from happening, sincewe wouldhave to enter it after every restart. - -days 365: This option sets the lengthof time that the certificate will be consideredvalid. We set it for one year here.Manymodernbrowsers will reject any certificates that are validfor longer thanone year. - -newkey rsa:2048: This specifies that we want to generate a new certificate and a new key at the same time. We did not create the key that is required to sign the certificate in a previous step, so we need to create it alongwiththe certificate.The rsa:2048 portiontells it tomake anRSAkeythat is 2048 bits long. - -keyout:This line tells OpenSSL where to place the generated privatekey filethat we are creating. - -out: This tells OpenSSL where to place the certificate thatwe are creating. Fill out the prompts appropriately. The most important line is the one that requests the Common Name. You need to enter either the hostname you’ll use to access the server by, or the public IP of the server. It’s important that this field matches whatever you’ll put into your browser’s address bar to access the site, as a mismatchwill causemore securityerrors.
3  Configuring ApachetoUse SSL Now that we have our self-signed certificate and key available, we need to update our Apache configuration to use them. On CentOS, you can place new Apache configuration files (they must end in .conf) into /etc/httpd/conf.d and they will be loaded the next time the Apache process is reloaded or restarted. For this tutorial we will create a new minimal configuration file. If you already have an Apache <Virtualhost> set up and just need to add SSL to it, you will likely need to copy over the configuration lines that start with SSL, and switch the VirtualHost port from 80 to 443. We will take care of port 80 in the next step. We already have “sites-available/f5kaantest.com.conf” in our “etc/httpd” path. So we will configure with this command:  sudo vi /etc/httpd/sites-available/f5kaantest.com.conf Be sure to update the ServerName line to however you intend to address your server. This can be a hostname, full domain name, or an IP address. Make sure whatever you choose matches the Common Name you chose when making the certificate. The remaining lines specify a DocumentRoot directory to serve files from, and the SSL options needed to point Apache to our newly-created certificate and key. Save and close the file, then check your Apache configuration for syntax errors by typing:  sudo apachectl configtest You may see some warnings, but as long as the output ends with Syntax OK, you are safe to continue. If this is not part of your output, check the syntax of your files and try again.
4 When all is well, reload Apache to pick up the configuration changes:  sudo systemctl reload httpd Now load your site in a browser, being sure to use https:// at the beginning.  https://www.kaantest.com You should see an error. This is normal for a self-signed certificate! The browser is warning you that it can’t verify the identity of the server, because our certificate is not signed by any of the browser’s known certificate authorities. For testing purposes and personal use this can be fine. You should be able to click through to advanced or more information and choose to proceed.  Redirecting HTTP toHTTPS Currently, our configuration will only respond to HTTPS requests on port 443. It is good practice to also respond on port 80, even if you want to force all traffic to be encrypted. Let’s set up a VirtualHost to respond to these unencrypted requests and redirect them to HTTPS. Open the same Apache configuration file we started in previous steps:
5  sudo vi /etc/httpd/sites-available/f5kaantest.com.conf At the bottom, create another VirtualHost block to match requests on port 80. Use the ServerName directive to again match your domain name or IP address. Then, use Redirect to match any requests and send them to the SSL VirtualHost. Save and close this file when you are finished, then test your configuration syntax again, and reload Apache:  sudo apachectl configtest  sudo systemctl restart httpd You can test the new redirect functionality by visiting your site with plain http:// in front of the address. You should be redirected to https:// automatically. 1/20/2022 X Kaan Aslandag Signed by: www.kaan1.com

More Related Content

Configuration of Self Signed SSL Certificate For CentOS 8

  • 1. 1 CONFIGURATION OF SELF-SIGNED SSL CERTIFICATE FOR CENTOS 8 TLS, or “transport layer security” — and its predecessor SSL — are protocols used to wrap normal traffic in a protected, encrypted wrapper. Using this technology, servers can safely send information to their clients without their messages being intercepted or read by an outside party. Note: A self-signed certificate will encrypt communication between your server and its clients. However, because it is not signed by any of the trusted certificate authorities included with web browsers and operating systems, users cannot use the certificate to automatically validate the identity of your server. As a result, your users will see a security error when visiting your site. Because of this limitation, self-signed certificates are not appropriate for a production environment serving the public. They are typically used for testing, or for securing non-critical services used by a single user or a small group of users that can establish trust in the certificate’s validity through alternate communication channels. For a more production-ready certificate solution, check out Let’s Encrypt, a free certificate authority. You can learn how to download and configure a Let’s Encrypt certificate in our How To Secure Apache with Let’s Encrypt on CentOS 8 tutorial.  Installing “mod_ssl” First, we should install the “mod_ssl” an Apache module that provides support for SSL encryption.  sudo dnf install mod_ssl
  • 2. 2  Creating the SSL Certificate Now that Apache is ready to use encryption, we can move on to generating a new SSL certificate. The certificate will store some basic information about our site, and will be accompanied by a key file that allows the server to securely handleencrypteddata. Wecancreatethe SSLkey and certificate files withthe opensslcommand:  sudoopenssl req -x509 -nodes -days 365 -newkeyrsa:2048 -keyout /etc/pki/tls/private/kaantest.key -out/etc/pki/tls/certs/kaantest.crt Afteryouenterthecommand, youwill be takentoa prompt whereyoucanenter informationabout your website. Beforewe goover that, let’s take a look at what ishappeninginthe commandwe are issuing: - openssl:ThisisthecommandlinetoolforcreatingandmanagingOpenSSLcertificates,keys,andotherfiles. - req -x509: This specifies that we want to use X.509 certificate signing request (CSR) management. X.509 is a public key infrastructure standardthat SSL andTLSadhere to forkey andcertificate management. - -nodes: This tells OpenSSL to skip the optionto secure our certificate with a passphrase. We need Apache tobeabletoreadthefile,withoutuserintervention,whentheserverstartsup.Apassphrasewouldprevent this from happening, sincewe wouldhave to enter it after every restart. - -days 365: This option sets the lengthof time that the certificate will be consideredvalid. We set it for one year here.Manymodernbrowsers will reject any certificates that are validfor longer thanone year. - -newkey rsa:2048: This specifies that we want to generate a new certificate and a new key at the same time. We did not create the key that is required to sign the certificate in a previous step, so we need to create it alongwiththe certificate.The rsa:2048 portiontells it tomake anRSAkeythat is 2048 bits long. - -keyout:This line tells OpenSSL where to place the generated privatekey filethat we are creating. - -out: This tells OpenSSL where to place the certificate thatwe are creating. Fill out the prompts appropriately. The most important line is the one that requests the Common Name. You need to enter either the hostname you’ll use to access the server by, or the public IP of the server. It’s important that this field matches whatever you’ll put into your browser’s address bar to access the site, as a mismatchwill causemore securityerrors.
  • 3. 3  Configuring ApachetoUse SSL Now that we have our self-signed certificate and key available, we need to update our Apache configuration to use them. On CentOS, you can place new Apache configuration files (they must end in .conf) into /etc/httpd/conf.d and they will be loaded the next time the Apache process is reloaded or restarted. For this tutorial we will create a new minimal configuration file. If you already have an Apache <Virtualhost> set up and just need to add SSL to it, you will likely need to copy over the configuration lines that start with SSL, and switch the VirtualHost port from 80 to 443. We will take care of port 80 in the next step. We already have “sites-available/f5kaantest.com.conf” in our “etc/httpd” path. So we will configure with this command:  sudo vi /etc/httpd/sites-available/f5kaantest.com.conf Be sure to update the ServerName line to however you intend to address your server. This can be a hostname, full domain name, or an IP address. Make sure whatever you choose matches the Common Name you chose when making the certificate. The remaining lines specify a DocumentRoot directory to serve files from, and the SSL options needed to point Apache to our newly-created certificate and key. Save and close the file, then check your Apache configuration for syntax errors by typing:  sudo apachectl configtest You may see some warnings, but as long as the output ends with Syntax OK, you are safe to continue. If this is not part of your output, check the syntax of your files and try again.
  • 4. 4 When all is well, reload Apache to pick up the configuration changes:  sudo systemctl reload httpd Now load your site in a browser, being sure to use https:// at the beginning.  https://www.kaantest.com You should see an error. This is normal for a self-signed certificate! The browser is warning you that it can’t verify the identity of the server, because our certificate is not signed by any of the browser’s known certificate authorities. For testing purposes and personal use this can be fine. You should be able to click through to advanced or more information and choose to proceed.  Redirecting HTTP toHTTPS Currently, our configuration will only respond to HTTPS requests on port 443. It is good practice to also respond on port 80, even if you want to force all traffic to be encrypted. Let’s set up a VirtualHost to respond to these unencrypted requests and redirect them to HTTPS. Open the same Apache configuration file we started in previous steps:
  • 5. 5  sudo vi /etc/httpd/sites-available/f5kaantest.com.conf At the bottom, create another VirtualHost block to match requests on port 80. Use the ServerName directive to again match your domain name or IP address. Then, use Redirect to match any requests and send them to the SSL VirtualHost. Save and close this file when you are finished, then test your configuration syntax again, and reload Apache:  sudo apachectl configtest  sudo systemctl restart httpd You can test the new redirect functionality by visiting your site with plain http:// in front of the address. You should be redirected to https:// automatically. 1/20/2022 X Kaan Aslandag Signed by: www.kaan1.com