how to insall SSL on httpd CentOS

Posted on 2011-10-10
Last Modified: 2012-05-12

I have a virtual directory on /var/www/virtual/ ,and i want install 3rd-party SSL certification (which i purchased from one of SSL providers).

I generate CSR and sent it to SSL provider and get 3 files domain.crt and externalCARoot.crt and CompanySecureServerCA.crt

my vhost configuration file located at /etc/httpd/conf.d with name of

Please, help me how should I config SSL certification for this vhost to visitor don't receive invalid certification error when visiting my website.

Question by:re-searcher
    LVL 4

    Assisted Solution

    by:Christopher Raymond Mendoza
    Hello re-searcher,

    This is what our file usually contains:

            CustomLog logs/ common
            DocumentRoot /var/www/
            ErrorLog logs/
            SSLEngine on
            SSLCertificateChainFile /etc/pki/tls/certs/RootCA.crt
            SSLCertificateFile /etc/pki/tls/certs/
            SSLCertificateKeyFile /etc/pki/tls/private/

    A sample configuration similar to the above is usually given by SSL providers.
    LVL 8

    Accepted Solution

    Getting the required software

    For an SSL encrypted web server you will need a few things. Depending on your install you may or may not have OpenSSL and mod_ssl, Apache's interface to OpenSSL.

    Use yum to get them if you need them.

    yum install mod_ssl openssl
    Yum will either tell you they are installed or will install them for you.

    Generate a self-signed certificate

    Using OpenSSL we will generate a self-signed certificate. If you are using this on a production server you will need a key from Trusted Certificate Authority, but if you are just using this on a personal site or for testing purposes a self-signed certificate is fine. To create the key you will need to be root so you can either su to root or use sudo in front of the commands

    openssl genrsa -out ca.key 1024 # Generate private key

    # Generate CSR
    openssl req -new -key ca.key -out ca.csr

    # Generate Self Signed Key
    openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt

    # Move the files to the correct locations
    mv ca.crt /etc/pki/tls/certs
    mv ca.key /etc/pki/tls/private/ca.key
    mv ca.csr /etc/pki/tls/private/ca.csr
    Then we need to update the Apache SSL configuration file

    vi +/SSLCertificateFile /etc/httpd/conf.d/ssl.conf
    Change the paths to match where the Key file is stored. If you've used the method above it will be

    SSLCertificateFile /etc/pki/tls/certs/ca.crt
    Then set the correct path for the Certificate Key File a few lines below. If you've followed the instructions above it is:

    SSLCertificateKeyFile /etc/pki/tls/private/ca.key
    Quit and save the file and then restart Apache

    /etc/init.d/httpd restart
    All being well you should now be able to connect over https to your server and see a default Centos page. As the certificate is self signed browsers will generally ask you whether you want to accept the certificate. Firefox 3 won't let you connect at all but you can override this.

    Setting up the virtual hosts

    Just as you set virtual hosts for http on port 80 so you do for https on port 433. A typical virtual host for a site on port 80 looks like this

    <VirtualHost *:80>
            <Directory /var/www/vhosts/>
            AllowOverride All
            DocumentRoot /var/www/vhosts/
    To add a sister site on port 443 you need to add the following at the top of your file

    NameVirtualHost *:443
    and then a VirtualHost record something like this:

    <VirtualHost *:443>
            SSLEngine on
            SSLCertificateFile /etc/pki/tls/certs/ca.crt
            SSLCertificateKeyFile /etc/pki/tls/private/ca.key
            <Directory /var/www/vhosts/>
            AllowOverride All
            DocumentRoot /var/www/vhosts/
    Restart Apache again using

    /etc/init.d/httpd restart
    You should now have a site working over https. If you can't connect you probably need to open the port on your firewall:

    iptables -A INPUT -p tcp --dport 443 -j ACCEPT /sbin/service iptables save iptables -L -v
    LVL 6

    Assisted Solution

    Hi ,

    Here is the step by step process for enabling ssh on httpd.

    CentOS has different configuration for ssl and all certificate generation configuration files have been moved to /etc/pki/tls dir.

    Here are the steps to make CentOS apache+ssl (Self-signed certificate)

    1. go to /etc/pki/tls/certs
    2. make mycert.pem
    3. Enter the information about country,state,city,host name etc, your certificate and key has been created .
    4. now go to /etc/httpd/conf.d/ssl.conf and change..
    SSLCACertificateFile /etc/pki/tls/certs/mycert.pem
    SSLCACertificateKeyFile /etc/pki/tls/mycert.pem
    5. save changes.
    6. on shell prompt service httpd start

    thats it!!!
    For more detail ,Plz have a look in the below link.



    Featured Post

    What Is Threat Intelligence?

    Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

    Join & Write a Comment

    Imagine a situation that you have installed SSL ( Certificate on your Cisco ASA (Cisco Adaptive Security Appliance) firewall. Installation of SSL certificate on ASA is an another topic for which you …
    Introduction This article explores the design of a cache system that can improve the performance of a web site or web application.  The assumption is that the web site has many more “read” operations than “write” operations (this is commonly the ca…
    Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.
    This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now