This article covers a version of CentOS that is no longer supported. If you are currently operating a server running CentOS 6, we highly recommend upgrading or migrating to a supported version of CentOS.
Reason: CentOS 6 reached end of life (EOL) on November 30th, 2020 and no longer receives security patches or updates. For this reason, this guide is no longer maintained.
See Instead:
This guide might still be useful as a reference, but may not work on other CentOS releases. If available, we strongly recommend using a guide written for the version of CentOS you are using.
The following DigitalOcean tutorial may be of interest, as it outlines how to create an SSL certificate for Apache on a CentOS 7 server:
A SSL certificate is a way to encrypt a site's information and create a more secure connection. Additionally, the certificate can show the virtual private server's identification information to site visitors. Certificate Authorities can issue SSL certificates that verify the virtual server's details while a self-signed certificate has no 3rd party corroboration.
In order to set up the self signed certificate, we first have to be sure that Apache and Mod SSL are installed on our VPS. You can install both with one command:
yum install mod_ssl
Next, we need to create a new directory where we will store the server key and certificate
mkdir /etc/httpd/ssl
When we request a new certificate, we can specify how long the certificate should remain valid by changing the 365 to the number of days we prefer. As it stands this certificate will expire after one year.
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/httpd/ssl/apache.key -out /etc/httpd/ssl/apache.crt
With this command, we will be both creating the self-signed SSL certificate and the server key that protects it, and placing both of them into the new directory.
This command will prompt terminal to display a lists of fields that need to be filled in.
The most important line is "Common Name". Enter your official domain name here or, if you don't have one yet, your site's IP address.
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:New York Locality Name (eg, city) []:NYC Organization Name (eg, company) [Internet Widgits Pty Ltd]:Awesome Inc Organizational Unit Name (eg, section) []:Dept of Merriment Common Name (e.g. server FQDN or YOUR name) []:example.com Email Address []:webmaster@awesomeinc.com
Now we have all of the required components of the finished certificate.The next thing to do is to set up the virtual hosts to display the new certificate.
Open up the SSL config file:
vi /etc/httpd/conf.d/ssl.conf
Find the section that begins with <VirtualHost _default_:443> and make some quick changes.
Uncomment the DocumentRoot and ServerName line and replace example.com with your DNS approved domain name or server IP address (it should be the same as the common name on the certificate):
ServerName example.com:443
Find the following three lines, and make sure that they match the extensions below:
SSLEngine on SSLCertificateFile /etc/httpd/ssl/apache.crt SSLCertificateKeyFile /etc/httpd/ssl/apache.key
Your virtual host is now all set up! Save and Exit out of the file.
You are done. Restarting the Apache server will reload it with all of your changes in place.
/etc/init.d/httpd restart
In your browser, type https://youraddress to view the new certificate.
Thanks for learning with the DigitalOcean Community. Check out our offerings for compute, storage, networking, and managed databases.
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
Simple and works perfect. Thanks.
Aw! Thank you for the kind words! :D
How to remove mod_ssl ?
We need to add one last command to allow this to work:
iptables -I INPUT 1 -p tcp --dport 443 -j ACCEPT
This opens port 443 to allow https:// to work.
Thanks for the suggestion, Mark. This is definitely true for users that have IP tables set up.
Good manual, need help…
Bad Request Your browser sent a request that this server could not understand. Reason: Youre speaking plain HTTP to an SSL-enabled server port. Instead use the HTTPS scheme to access this URL, please.
In your URL you arent using HTTPS which indicates that you want to connect to port 443, but instead your URL has HTTP.
So just update that and you should be good to go.
Stopping httpd: [FAILED] Starting httpd: [FAILED]
Read my blog post regarding “sudo”: http://jayl.ee/blog/2015/02/22/the-definitive-ssl-certificate-installation-manual
Thanks for that additional command mark. Works great. Suggestion: Why not expand the tutorial to include how to use trusted ssl keys?
To add to mark’s command: http://wiki.centos.org/HowTos/Https iptables -A INPUT -p tcp --dport 443 -j ACCEPT /sbin/service iptables save <–need to save new rule iptables -L -v <-- verify save
You have asked Firefox to connect securely to 192.xxx.xxx.32, but we can’t confirm that your connection is secure. Normally, when you try to connect securely, sites will present trusted identification to prove that you are going to the right place. However, this site’s identity can’t be verified.
So this is what everyone will see the first time they come across it?
@SaM5246: It’s because this is a self-signed cert. To get rid of this warning, you have to get your certificate signed by a CA such as Comodo, Verisign, Thawte, Godaddy, etc.
… or create your own CA certificate and install that into apache and your own browsers’ trusted CA list. That gets rid of the warning screen (and tests that the certificate installed OK - you’ll see the green padlock beside the URL).
What about the “genkey” command for certificate generation? I know there is a bug regarding this issue (in RHEL6 and CentOS 6.4). I did update the nss tool in CentOS and it now just works so great!
Etel, In case that I am not running iptables. How I can open the 443.? I read this post and all comments, then went to my machine and give the commands iptables --list service iptables status I don’t get any information from iptables --list, and the service iptables status told me that I am not running iptables. But if I did the command (after installing nmap with yum install nmap ) nmap -v -r 127.0.0.1 That runs an autoscan it give me the following (This is only part of the output) that I use to check which ports are open and which not.) Not shown: 995 closed ports PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp 80/tcp open http 3306/tcp open mysql 10000/tcp open snet-sensor-mgmt
I noticed that when I installed Apache with yum, the port was opened, the same when I installed the Mysql, but how this is possible if the iptables is not running.? Is there another method to open the ports.? And thank you for all the information in this post. Is being very usefull.
@ruben.amaya: What’s the output of <code>iptables -L -v</code> as root?
The iptables service might not be running but the iptables kernel module is always there.
how do you add multiple ssl’s?
@masterjx12: See <a href=“https://www.digitalocean.com/community/articles/how-to-set-up-multiple-ssl-certificates-on-one-ip-with-apache-on-ubuntu-12-04”>https://www.digitalocean.com/community/articles/how-to-set-up-multiple-ssl-certificates-on-one-ip-with-apache-on-ubuntu-12-04</a>
I recommend reading through the article and then performing the steps yourself since the article is for Ubuntu and not CentOS.
works great to me, thanx Etel, can u plz suggest how to use already purchased CA certfied ssl in it
What i want to established communication in specific static ip and port 1234 in order to accesses from another webserver using fsockopen in php could you tell me what is the setting i have to do in apatche2 (ubuntu linux )
Thank you, it is so hopefull ! worked !:)(
Thank you!
Working perfect :)
Hi! When I type https://myip it takes me to the default Apache page. It takes me to my website only if I type http://myip. Do I need to assign a redirection?
@yazirarafath: Try clearing your browser’s cache—that appears to be the problem.
@Kamal Nasser I tried. But it is still the same.
@yazirarafath: What’s the IP address?
When I go to edit the ssl.conf file I get a blank file. When I search for it:
whereis ssl.conf
I get:
ssl: /etc/ssl /usr/share/man/man3/ssl.3ssl.gz
Could someone help a newbie?
@techspecx: What version of CentOS are you using?
perfect - thank you again!
Please help! Stopping httpd: [ OK ] Starting httpd: [FAILED] How do I find out why, and fix it?
Apache won’t start for me. I suspect it is because I have not added the module for Elliptic Curve Cryptography TLS/SSL as opposed to RSA. I have a friend who uses DigitalOcean and uses ECC TLS, so it should be possible. How may I do this?
/etc/init.d/httpd restart
Stopping httpd: [FAILED] Starting httpd: [FAILED]
openssl x509 -noout -modulus -in /etc/httpd/ssl/www_landenfamily_us.crt | openssl md5
Modulus=unavailable 3078575852:error:100AE081:elliptic curve routines:EC_GROUP_new_by_curve_name:unknown group:ec_curve.c:316: 3078575852:error:100D7010:elliptic curve routines:ECKEY_PUB_DECODE:EC lib:ec_ameth.c:206: 3078575852:error:0B07707D:x509 certificate routines:X509_PUBKEY_get:public key decode error:x_pubkey.c:164: (stdin)= d41d8cd98f00b204e9800998ecf8427e
openssl rsa -noout -modulus -in /etc/httpd/ssl/server.key | openssl md5
unable to load Private Key 3078436588:error:100AE081:elliptic curve routines:EC_GROUP_new_by_curve_name:unknown group:ec_curve.c:316: 3078436588:error:1009E077:elliptic curve routines:EC_ASN1_PKPARAMETERS2GROUP:ec group new by name failure:ec_asn1.c:1035: 3078436588:error:10092010:elliptic curve routines:d2i_ECPrivateKey:EC lib:ec_asn1.c:1158: 3078436588:error:100DE08E:elliptic curve routines:OLD_EC_PRIV_DECODE:decode error:ec_ameth.c:565: 3078436588:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1319: 3078436588:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:381:Type=PKCS8_PRIV_KEY_INFO 3078436588:error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1 lib:pem_pkey.c:132: (stdin)= d41d8cd98f00b204e9800998ecf8427e