How To Configure Apache With SSL On CentOS 6.4

Securing the Apache server is one of the most important tasks of the webmaster. In this example, we will show you how to use ssl keys with your Apache web server.

Create Certificates

Change to the following directory:

# cd /etc/pki/tls/cert

Run the following command to make server key file:

[root@unixmen-Centos64 certs]# make server.key
umask 77 ; \
/usr/bin/openssl genrsa -aes128 2048 > server.key
Generating RSA private key, 2048 bit long modulus
..................+++
..........................................+++
e is 65537 (0x10001)
Enter pass phrase:
Verifying - Enter pass phrase:

Remove passphrase from private key:

[root@unixmen-Centos64 certs]# openssl rsa -in server.key -out server.key
Enter pass phrase for server.key:
writing RSA key

 Generate CSR key file

[root@unixmen-Centos64 certs]# make server.csr 
umask 77 ; \
 /usr/bin/openssl req -utf8 -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:NL
State or Province Name (full name) []:Amsterdam
Locality Name (eg, city) [Default City]:Amsterdam
Organization Name (eg, company) [Default Company Ltd]:Unixmen
Organizational Unit Name (eg, section) []:Unixmen
Common Name (eg, your name or your server's hostname) []:Centos6-Unixmen
Email Address []:webmaster@unixmen.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@unixmen-Centos64 certs]#

Sign the key and make Expiration days:

[root@unixmen-Centos64 certs]# openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 10000
Signature ok
subject=/C=NL/ST=Amsterdam/L=Amsterdam/O=Unixmen/OU=Unixmen/CN=Centos6-Unixmen/emailAddress=webmaster@unixmen.com
Getting Private key
[root@unixmen-Centos64 certs]#

 Configure SSL keys with Apache 

# yum -y  install httpd mod_ssl

Configure  ‘/etc/httpd/conf.d/ssl.conf’

Your ssl.conf should be like this:

[root@unixmen-Centos64 conf.d]# cat /etc/httpd/conf.d/ssl.conf | grep -v "#"
LoadModule ssl_module modules/mod_ssl.so
Listen 443
SSLPassPhraseDialog builtin
SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
<VirtualHost *:443>
DocumentRoot "/var/www/html"
ServerName 127.0.0.1:443
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/pki/tls/certs/server.crt
SSLCertificateKeyFile /etc/pki/tls/certs/server.key
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
 SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
 SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
 nokeepalive ssl-unclean-shutdown \
 downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
 "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
[root@unixmen-Centos64 conf.d]#

Restart Apache  

Check if  the ports 80 and  443 are listening:

[root@unixmen-Centos64 conf.d]# netstat -an | grep 443
tcp 0 0 :::443 :::* LISTEN 
[root@unixmen-Centos64 conf.d]# netstat -an | grep 80
tcp 0 0 :::80 :::* LISTEN 
unix 3 [ ] STREAM CONNECTED 12580 
[root@unixmen-Centos64 conf.d]#

Allow the ports 80 and 443 via iptables:

vi /etc/sysconfig/iptables
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
Reload  and  restart iptables

Restart ip tables:

service iptables restart

Open the browser and Check  https://IP-Address.

SSL-centos