HTTP: Configure SSL with Apache.

Share this link

Install the Web Server package group:

# yum groupinstall -y "Web server"

Activate at boot time and start the service:

# chkconfig httpd on
# service httpd start

Add a new rule to the firewall:

# iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT

Save the firewall configuration:

# service iptables save

Let’s assume your server is called

Generate a X509 certificate valid for 365 days:

# openssl req -new -x509 -nodes -out /etc/pki/tls/certs/ -keyout /etc/pki/tls/private/ -days 365
Generating a 2048 bit RSA private key
writing new private key to '/etc/pki/tls/private/'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []
Email Address []:

Edit the /etc/httpd/conf.d/ssl.conf file, search for the SSLCertificate string and replace as follows:

SSLCertificateFile /etc/pki/tls/certs/
SSLCertificateKeyFile /etc/pki/tls/private/

In the same file, search for the ServerName string and replace as follows:


Check the validity of the configuration:

# httpd -t
Syntax OK


# apachectl configtest
Syntax OK

Restart the Apache webserver:

# apachectl restart

Check the virtual host configuration:

# httpd -D DUMP_VHOSTS
VirtualHost configuration:
wildcard NameVirtualHosts and _default_ servers:
_default_:443 (/etc/httpd/conf.d/ssl.conf:74)
Syntax OK

Optionally, check the certificate:

# openssl s_client -connect localhost:443 -state
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=0 C = XX, L = Default City, O = Default Company Ltd, CN =
verify error:num=18:self signed certificate
verify return:1
depth=0 C = XX, L = Default City, O = Default Company Ltd, CN =
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read server session ticket A
SSL_connect:SSLv3 read finished A
Certificate chain
 0 s:/C=XX/L=Default City/O=Default Company Ltd/
   i:/C=XX/L=Default City/O=Default Company Ltd/
Server certificate
subject=/C=XX/L=Default City/O=Default Company Ltd/
issuer=/C=XX/L=Default City/O=Default Company Ltd/
No client certificate CA names sent
SSL handshake has read 1796 bytes and written 453 bytes
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
    Protocol  : TLSv1.2
    Cipher    : DHE-RSA-AES256-GCM-SHA384
    Session-ID: F70A21C91678CB69510C8ED213E8C340021A3AD7343D16155D15E819476032CB
    Master-Key: 5CADEE0E5B2B4F9030B1A9E46FA2DD65AC70C530B754A4EF4384AA34B28E4E2617B1E47746ACA2D22B9DA7A8369509A7
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - b6 a4 65 fa 1c 14 4d 12-b7 70 6c 2b 53 52 f1 b6
    0010 - 76 8d 20 86 bb 63 ac dc-46 60 18 07 ae 86 03 16   v. ..c..F`......
    0020 - 90 a2 d2 17 d5 f9 ff 5e-bc d2 c7 aa 0f 8f 40 8f   .......^......@.
    0030 - ee 4e 27 ff 1f c1 7c 04-26 ec cb db 6b e6 2f 53   .N'...|.&...k./S
    0040 - 13 05 04 c2 67 d6 63 c5-c3 8b b1 3e 99 65 c9 8a   ....g.c....>.e..
    0050 - 33 68 3c 83 a0 22 bc d2-5b 7e 8b e7 87 24 b7 77   3h<.."..[~...$.w
    0060 - 18 3f c4 51 0d 4e dd a7-f5 03 68 e8 51 de c2 a9   .?.Q.N....h.Q...
    0070 - ba e6 fe 15 1d 4b 93 d5-85 93 e3 ee 80 78 2b 40   .....K.......x+@
    0080 - 5f 30 02 69 cd 31 61 b6-7b 30 94 ae ca f7 78 62   _0.i.1a.{0....xb
    0090 - 87 50 83 ba cc c2 40 29-62 15 50 98 91 6e 25 c0   .P....@)b.P..n%.
    00a0 - 9d 55 39 b2 f8 59 67 47-ec ba ea ad 7a 63 75 d9   .U9..YgG....zcu.
    00b0 - d6 36 57 b4 80 8a 59 a2-67 d8 90 2c e2 3c dd 05   .6W...Y.g..,.<..

    Start Time: 1408871323
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
SSL3 alert read:warning:close notify
SSL3 alert write:warning:close notify

Additional Resources

You can read this good article about the various formats of certificates.

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

Leave a Reply

RHCSA7: Task of the day

Allowed time: 10 minutes.
Create two new user accounts "steve" and "oliver".
Create a group "team". Create a directory "shared".
All files put into the "shared" directory by "steve" or "oliver" should belong to the "team" group and be only visible by them.

RHCE7: Task of the day

Allowed time: 10 minutes.
Set up a caching-only DNS server to forward DNS queries.

Follow me on Twitter

Poll for favorite RHEL 7 book

What is your favorite RHEL 7 book to prepare RHCSA & RHCE exams?

View Results

Loading ... Loading ...

Poll for most difficult RHCSA 7 topic

What do you think is the most difficult RHCSA 7 topic?

View Results

Loading ... Loading ...

Poll for most difficult RHCE 7 topic

What do you think is the most difficult RHCE 7 topic?

View Results

Loading ... Loading ...