With recent SSL enforcement from Google, it is becoming a necessity to have your website certified and encrypted to ensure it doesn’t get flagged. SSL, which stands for Secure Socket Layers, is a method used to secure and encrypt your site. This is extremely necessary when sensitive information such as login credentials, payment methods, and addresses are involved. While there are many paid and free SSL certificates for you to choose from, having your own self-signed SSL certificate can be beneficial—and it’s free!

In terms of security, a self-signed certificate has the same security benefits as a commercial SSL. The main difference between the two is gaining your user’s or client’s trust. A commercial SSL has a bit more of a positive and popular reputation compared to a self-signed certificate. Because of this, if you have an eCommerce site, you may be better off purchasing a trusted commercial. However, if your site does not revolve around eCommerce, a self-signed certificate can be economically beneficial for you in the long-term.

To learn how to install your own self-signed SSL Certificate, keep reading!

 

Prerequisites

 

In order to install a self-signed SSL certificate on Apache, you must install Apache first by typing out the following:

#yum install httpd

Then to enable apache after every reboot, run the following:

#systemctl enable httpd.service

 

Installing mod SSL

 

Without this Apache module, we will not be able to have a self-signed certificate as it helps support the encryption that the SSL provides us. So, we must do so by entering the following:

#yum install mod_ssl

 

Creating a new SSL Certificate

 

Once Apache is ready to support our new SSL, it is time to generate a new certificate. Before we generate, we will have to make a new directory. Note that /etc/ssl/certs is already available for us to hold the certificate file. So, let’s go ahead and make a new directory:

#mkdir /etc/ssl/private

Since we want this directory to be private with only root access, we must change the permissions:

#chmod 700 /etc/ssl/private

To generate and create a key to a newly added directory, enter the following in one continuous line:

#openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/apache-selfsigned.key -out /etc/ssl/certs/apache-selfsigned.crt

This will prompt you to enter your information such as country, province/state, common name, email, etc.

Note: “Common Name” will be important. You need to enter either your hostname/domain or IP if you have not registered a domain name.

After you have generated a new certificate, run the following to have an even more secure encryption with the Diffie-Hellman algorithm. This may take a moment to complete:

#openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

Manually add both the certificates into apache-selfsigned.crt:

#cat /etc/ssl/certs/dhparam.pem | sudo tee -a /etc/ssl/certs/apache-selfsigned.crt

To double check, view apache-selfsigned.crt. You should be able to see two certificates:

#cat /etc/ssl/certs/apache-selfsigned.crt

 

Setting up your SSL

 

Open Apache’s config file using any text editor you wish. Here we are using vi:

#vi /etc/httpd/conf.d/ssl.conf

Find the line where it says <VirtualHost _default_:443> and uncomment the two red lines as below:

# General setup for the virtual host, inherited from global configuration

DocumentRoot “/var/www/html”

ServerName www.example.com:443

Note, place your own document root directory here. If you do not have a document root set up, by default, it will be /var/www/html.  As for server name, if you do not yet have a domain, you can type out your server’s IP here with the HTTPS port (443) at the end.

Next, find the two lines below and comment them out in the same file:

#SSLProtocol all -SSLv2 -SSLv3

#SSLCipherSuite HIGH:3DES:!aNULL:!MD5:!SEED:!IDEA

After, we will be placing the new directories that we have created for the two keys earlier:

SSLCertificateFile /etc/ssl/certs/apache-selfsigned.crt

SSLCertificateKeyFile /etc/ssl/private/apache-selfsigned.key

 

Note, if you have a line that has “SSLSessionTickets Off”, be sure to comment this out as CentOS 7 does not support this.

 

After, paste the following outside of </VirtualHost>, which is most likely at the end of the config file:

</VirtualHost>

#

# Begin copied text

# from https://cipherli.st/

# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html

SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH

SSLProtocol All -SSLv2 -SSLv3

SSLHonorCipherOrder On

# Disable preloading HSTS for now.  You can use the commented out header line that includes

# the “preload” directive if you understand the implications.

#Header always set Strict-Transport-Security “max-age=63072000; includeSubdomains; preload”

Header always set Strict-Transport-Security “max-age=63072000; includeSubdomains”

Header always set X-Frame-Options DENY

Header always set X-Content-Type-Options nosniff

# Requires Apache >= 2.4

SSLCompression off

SSLUseStapling on

SSLStaplingCache “shmcb:logs/stapling-cache(150000)”

# Requires Apache >= 2.4.11

# SSLSessionTickets Off

 

Once you are done, save and exit the file.

 

Redirecting HTTP to HTTPS

 

It is recommended and more secure to redirect HTTP to HTTPS, however, this is not required and entirely up to you. If you do not redirect, this will mean both HTTP and HTTPS can be applied to your server. If you would like to do this, you will need to do the following:

 

Create a non-ssl config file:

#vi /etc/httpd/conf.d/non-ssl.conf

 

Enter the following in order to have your HTTP site redirect to HTTPS:

<VirtualHost *:80>
ServerName www.example.com
Redirect “/” “https://www.example.com/”
</VirtualHost>

 

Save and exit the file once this is completed.

 

Activating your SSL Certificate

 

To be diligent and check for any errors in our config files, run the following to test if all syntax is okay.

#apachectl configtest

Once everything seems great, we must restart Apache to apply the changes that we have made:

#systemctl restart httpd.service

 

Lastly, we’ll need to update our iptables by adding the two rules:

 

#iptables -I INPUT -p tcp -m tcp –dport 80 -j ACCEPT

#sudo iptables -I INPUT -p tcp -m tcp –dport 443 -j ACCEPT

 

To test your server, open your browser and enter the IP/domain. It should redirect to HTTPS with a security-warning page. Once you click advanced and proceed, you will see the URL box. This is normal, as it is a self-signed certificate and not a browser-trusted certificate such the commercial SSL certificates we offer.

After completing all of the required steps, you’re good to go!

Note, it is not always 100% safe to proceed with websites with self-signed certificates as we must be wary of phishing sites, so please be careful where you input sensitive information online.

We hope this article has helped you learn how to install a self-signed SSL! Let us know in the comments below if you have any questions about the process and we’ll be happy to help.