With recent SSL enforcement from Google, it is becoming a necessity to have your website certified and encrypted to ensure it doesn’t get flagged. SSL, which stands for Secure Socket Layers, is a method used to secure and encrypt your site. This is extremely necessary when sensitive information such as login credentials, payment methods, and addresses are involved. While there are many paid and free SSL certificates for you to choose from, having your own self-signed SSL certificate can be beneficial—and it’s free!
In terms of security, a self-signed certificate has the same security benefits as a commercial SSL. The main difference between the two is gaining your user’s or client’s trust. A commercial SSL has a bit more of a positive and popular reputation compared to a self-signed certificate. Because of this, if you have an eCommerce site, you may be better off purchasing a trusted commercial. However, if your site does not revolve around eCommerce, a self-signed certificate can be economically beneficial for you in the long-term.
To learn how to install your own self-signed SSL Certificate, keep reading!
Prerequisites
In order to install a self-signed SSL certificate on Apache, you must install Apache first by typing out the following:
#yum install httpd
Then to enable apache after every reboot, run the following:
#systemctl enable httpd.service
Installing mod SSL
Without this Apache module, we will not be able to have a self-signed certificate as it helps support the encryption that the SSL provides us. So, we must do so by entering the following:
#yum install mod_ssl
Creating a new SSL Certificate
Once Apache is ready to support our new SSL, it is time to generate a new certificate. Before we generate, we will have to make a new directory. Note that /etc/ssl/certs is already available for us to hold the certificate file. So, let’s go ahead and make a new directory:
#mkdir /etc/ssl/private
Since we want this directory to be private with only root access, we must change the permissions:
#chmod 700 /etc/ssl/private
To generate and create a key to a newly added directory, enter the following in one continuous line:
#openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/apache-selfsigned.key -out /etc/ssl/certs/apache-selfsigned.crt
This will prompt you to enter your information such as country, province/state, common name, email, etc.
Note: “Common Name” will be important. You need to enter either your hostname/domain or IP if you have not registered a domain name.
After you have generated a new certificate, run the following to have an even more secure encryption with the Diffie-Hellman algorithm. This may take a moment to complete:
#openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
Manually add both the certificates into apache-selfsigned.crt:
#cat /etc/ssl/certs/dhparam.pem | sudo tee -a /etc/ssl/certs/apache-selfsigned.crt
To double check, view apache-selfsigned.crt. You should be able to see two certificates:
#cat /etc/ssl/certs/apache-selfsigned.crt
Setting up your SSL
Open Apache’s config file using any text editor you wish. Here we are using vi:
#vi /etc/httpd/conf.d/ssl.conf
Find the line where it says <VirtualHost _default_:443> and uncomment the two red lines as below:
# General setup for the virtual host, inherited from global configuration
DocumentRoot “/var/www/html”
ServerName www.example.com:443
Note, place your own document root directory here. If you do not have a document root set up, by default, it will be /var/www/html. As for server name, if you do not yet have a domain, you can type out your server’s IP here with the HTTPS port (443) at the end.
Next, find the two lines below and comment them out in the same file:
#SSLProtocol all -SSLv2 -SSLv3
#SSLCipherSuite HIGH:3DES:!aNULL:!MD5:!SEED:!IDEA
After, we will be placing the new directories that we have created for the two keys earlier:
SSLCertificateFile /etc/ssl/certs/apache-selfsigned.crt
SSLCertificateKeyFile /etc/ssl/private/apache-selfsigned.key
Note, if you have a line that has “SSLSessionTickets Off”, be sure to comment this out as CentOS 7 does not support this.
After, paste the following outside of </VirtualHost>, which is most likely at the end of the config file:
</VirtualHost>
#
# Begin copied text
# from https://cipherli.st/
# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
# Disable preloading HSTS for now. You can use the commented out header line that includes
# the “preload” directive if you understand the implications.
#Header always set Strict-Transport-Security “max-age=63072000; includeSubdomains; preload”
Header always set Strict-Transport-Security “max-age=63072000; includeSubdomains”
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
# Requires Apache >= 2.4
SSLCompression off
SSLUseStapling on
SSLStaplingCache “shmcb:logs/stapling-cache(150000)”
# Requires Apache >= 2.4.11
# SSLSessionTickets Off
Once you are done, save and exit the file.
Redirecting HTTP to HTTPS
It is recommended and more secure to redirect HTTP to HTTPS, however, this is not required and entirely up to you. If you do not redirect, this will mean both HTTP and HTTPS can be applied to your server. If you would like to do this, you will need to do the following:
Create a non-ssl config file:
#vi /etc/httpd/conf.d/non-ssl.conf
Enter the following in order to have your HTTP site redirect to HTTPS:
<VirtualHost *:80>
ServerName www.example.com
Redirect “/” “https://www.example.com/”
</VirtualHost>
Save and exit the file once this is completed.
Activating your SSL Certificate
To be diligent and check for any errors in our config files, run the following to test if all syntax is okay.
#apachectl configtest
Once everything seems great, we must restart Apache to apply the changes that we have made:
#systemctl restart httpd.service
Lastly, we’ll need to update our iptables by adding the two rules:
#iptables -I INPUT -p tcp -m tcp –dport 80 -j ACCEPT
#sudo iptables -I INPUT -p tcp -m tcp –dport 443 -j ACCEPT
To test your server, open your browser and enter the IP/domain. It should redirect to HTTPS with a security-warning page. Once you click advanced and proceed, you will see the URL box. This is normal, as it is a self-signed certificate and not a browser-trusted certificate such the commercial SSL certificates we offer.
After completing all of the required steps, you’re good to go!
Note, it is not always 100% safe to proceed with websites with self-signed certificates as we must be wary of phishing sites, so please be careful where you input sensitive information online.
We hope this article has helped you learn how to install a self-signed SSL! Let us know in the comments below if you have any questions about the process and we’ll be happy to help.
[…] Quick tip: To ensure your WordPress page is encrypted, which means any sensitive data going between your site and the web browser cannot be intercepted, install an SSL certificate. […]
[…] securing your server with SSH Keys to installing self-signed SSL on Apache with CentOS 7, we really value web security at Canadian Web Hosting. In IT, satisfying all C.I.A points is a […]
[…] Secure your server with an SSL certificate […]
[…] the advanced user, there’s also the option of installing your own self-signed certificate onto your […]