SSL (Secure Socket Layer) and the enhanced version TLS (Transport Socket Layer) are security protocols used to protect web traffic sent from a customer’s web browser to a web server.
The SSL certificate is a digital certificate that creates a secure channel between the client’s browser and the web server. At the same time, confidential and sensitive data such as credit card details, login details and other sensitive information are encrypted to prevent hackers from eavesdropping on and stealing your data.
What is a self-signed SSL Certificate?
A self-signed SSL Certificate is, unlike other SSL Certificates that are signed and trusted by a Certificate Authority (CA), a certificate that is signed by the person to whom it belongs.
It’s absolutely free and it’s the cheapest way to encrypt your local web server. However, the use of a self-signed SSL Certificate in a production environment is strongly discouraged for the following reasons:
- Because it is not signed by a CA, a self-signed SSL Certificate generates alerts in web browsers, alerting users to potential risks if they decide to continue their work. These warnings are undesirable and prevent users from visiting your website, which can reduce web traffic. To avoid these alerts, organizations generally encourage their staff to simply ignore them and proceed. This can become a dangerous habit for users who choose to continue to ignore these warnings on other websites and who may fall victim to phishing sites.
- Self-signed certificates have a low level of security because they implement low-value encryption and hash technologies. It is therefore possible that the security level is not in accordance with the standard security policy.
- In addition, there is no support for Public Key Infrastructure (PKI) functions.
At the same time, using a self-signed SSL certificate is a good idea for testing services and applications on a local machine that requires TLS / SSL encryption.
In this tutorial you will learn how to install a self-signed local SSL certificate on the local Apache server of the CentOS 8 server system.
Before you start work, make sure that you meet the following basic requirements:
- A copy of the CentOS 8 server.
- The Apache web server installed on the server.
- The hostname already configured and set in /etc/hosts. For this guide we will use tecmint.local as the hostname of our server.
Step 1: Installation of Mod_SSL on CentOS
1. First make sure that the Apache web server is installed and running.
$ State sudo systemctl httpd
This is the expected result.
Check the Apache status
If the web server is not running, you can start it up and activate it at startup with a single command.
sudo systemctl start httpd
$ sudo systemctl start httpd
Running the Apache web server
You can check to see if Apache is working.
2. A mod_ssl package is required to install and configure a self-signed local SSL certificate.
$ install sudo dnf mod_ssl
After installation, you can check the installation by performing it.
$ sudo rpm -q mod_ssl
Check SSL installation change
Also make sure that the OpenSSL package is installed (OpenSSL is installed by default in CentOS 8).
$ sudo rpm -q openssl
Check the Openssl installation
Step 2: Creation of a self-signed local SSL Certificate for Apache
3. Once the Apache web server and all conditions have been verified, you must create a directory in which the cryptographic keys are stored.
In this example we have created a directory in /etc/ssl/private.
$ sudo mkdir -p /etc/ssl/private
Now use the command to create a key and a local SSL certificate file:
$ sudo openssl req -x509 -noodes -newkey rsa:2048 -keyout tecmint.local.key -out tecmint.local.crt
Let’s see what some of the team’s options really mean:
- req -x509 – this indicates that we are using Certificate Signing Request (CSR) x509
- -Node – This option tells OpenSSL not to encrypt SSL certificates with a passphrase. The idea here is to allow Apache to read the file without user intervention, which would not have been possible if the passphrase had been given.
- -New key rsa:2048 – This means that we want to create a new key and a new certificate at the same time The rsa:2048 part implies that we want to create a 2048 bit RSA key.
- -keyout – this parameter specifies where the generated private key file should be stored when it is created.
- -out – this option indicates where the created SSL Certificate should be placed.
Creation of a local SSL certificate for Apache
Step 3: Install a self-signed local SSL certificate on Apache.
4. Once the SSL certificate file has been generated, it is time to install the certificate using the Apache web server settings. Open and edit the configuration file /etc/httpd/conf.d/ssl.conf.
$ sudo /etc/httpd/conf.d/ssl.conf
Make sure the following lines appear between the virtual host tags.
ServerAdmin [Email Protection]
Server name www.tecmint.local
Document root /var/wwwww/html
SSLEngine on SSLCertificateKeyFile
Save the file and close it. To make the changes, restart Apache with the command
$ sudo systemctl reboot httpd
5. To allow remote users to access your server, you need to open port 443 through the firewall, as shown in the image.
sudo firewall-cmd –add-port=443 –zone=public –permanent
$ sudo firewall-cmd –reloaded
Step 3: Testing a self-signed local SSL Certificate on Apache
If all configurations are present, start the browser and check the server address using the server IP address or the domain name at https.
To simplify testing, consider redirecting the HTTP protocol to HTTPS on the Apache web server. This allows you to automatically redirect the domain to the HTTPS protocol each time you browse a domain using the HTTP protocol.
So take a look at your server’s domain or IP address.
You will receive a warning that the connection is not secure, as shown in the picture. It can be different for different browsers. As you may have guessed, the warning is due to the fact that the SSL Certificate is not signed by the CA, and the browser stores it and informs you that the certificate is not trusted.
To access your website, click on the Advanced tab as shown above:
SSL certificate warnings
Then add an exception to your browser.
Confirm safety exception
Finally, restart your browser and note that you can now access the server, although a warning will appear in the URL bar indicating that the site is not completely secure for the same reason that the SSL certificate is a self-signed, unsigned CA.
HTTPS website access
We hope you can now continue to create and install a self-signed SSL certificate on your local Apache server with CentOS 8.install ssl certificate centos 7,create self-signed certificate centos 7,centos trust self-signed certificate,generate self-signed certificate centos 8,how to generate csr for ssl certificate in centos 7,create self-signed certificate centos 7 nginx,create self-signed certificate redhat linux,how to install self-signed certificate in linux