Add SSL to CentOS web server

Jack Wallen
Dec 5, 2010
Updated • Nov 30, 2012

CentOS might well be one of the finest Linux distributions for a server environment. It is basically a mimic of Red Hat Enterprise Linux without the proprietary software and the price attached to it. With that in mind, it makes perfect sense to set CentOS up as your go-to Web server. It's reliable, it's stable, it's extensible, and it's secure.

But setting up a secure web server isn't complete without the inclusion of SSL and certificates. If you are wanting to serve up sercure web pages you will certainly want your audience to be able to send them to https instead of http. So...with CentOS how do you do that? I will show you how.

Installing all of the packages

I will assume you already have CentOS installed as well as the Apache Web Server. Make sure you are able to go to the default Apache web page (or any web page on your CentOS web server), before you set up SSL. When you have all of that working you will need to install a couple of packages. This is done with the following steps:

  1. Open up a terminal window.
  2. Su to the root user.
  3. Issue the command yum install mod_ssl openssl.
  4. Let the installation complete.

With SSL installed and ready, it's time to create your certificates for usage.

Creating your certificate

You will now have everything on your server to create CAs. You need to generate a private key, a csr, a self-signed key, and then you need to copy these files to the correct location. This is done with the following steps.

  1. Open up a terminal window.
  2. Su to the root user.
  3. Generate the private key with the command openssl genrsa -out ca.key 1024.
  4. Generate the csr with the command openssl req -new -key ca.key -out ca.csr.
  5. Generate the self-signed key with the command openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt.
  6. Move the self-signed key with the command cp ca.crt /etc/pki/tls/certs.
  7. Move the private key with the command cp ca.key /etc/pki/tls/private/ca.key.
  8. Move the csr with the command cp ca.csr /etc/pki/tls/private/ca.csr.

Edit the Apache SSL configuration

Open the file /etc/httpd/conf.d/ssl.conf and look for the section SSLCertificateFile. Make sure that line reads:

SSLCertificateFile /etc/pki/tls/certs/ca.crt

Now look for the SSLCertificateKeyFile and make sure that section reads:

SSLCertificateKeyFile /etc/pki/tls/private/ca.key

Save that file and you are ready to restart Apache.

Restart and test

Before you try to test Apache's new SSL feature, you must restart the daemon. To do this issue the command /etc/rc.d/init.d/httpd restart. Hopefully you will see no warnings or errors. If not, then point your browser to https://ADDRESS_TO_SERVER Where ADDRESS_TO_SERVER is either the IP Address or the domain. You should then see a warning from your browser about the certificate for the site. If you see this warning congratulations, your Apache server is now ready for secure connections.

Remember, though, you created a self-signed certificate. To get the most out of SSL you might want to purchase a CA from a trusted name like Verisign (There are, of course, plenty of other places where you can purchase those certifiacates).


Previous Post: «
Next Post: «


  1. Jenifer Tucker said on February 18, 2011 at 9:44 pm

    Hi there

    I followed this all the way, through but get failure messages when restarting Apache, Any ideas?

    [Fri Feb 18 19:36:21 2011] [error] Unable to configure RSA server private key
    [Fri Feb 18 19:36:21 2011] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch


    # Installation.
    yum install mod_ssl openssl
    # Generate the private key
    openssl genrsa -out ca.key 1024
    # Generate the csr.
    openssl req -new -key ca.key -out ca.csr
    # Generate the self-signed key.
    openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt
    # Move the self-signed key.
    cp ca.crt /etc/pki/tls/certs
    # Move the private key.
    cp ca.key /etc/pki/tls/private/ca.key
    # Move the csr.
    cp ca.csr /etc/pki/tls/private/ca.csr
    # Edit the Apache SSL configuration.
    vi /etc/httpd/conf.d/ssl.conf
    # Change path of file.
    – SSLCertificateFile /etc/pki/tls/certs/localhost.crt
    + SSLCertificateFile /etc/pki/tls/certs/ca.crt
    # Restart Apache.
    service httpd restart

    1. Jenifer Tucker said on February 18, 2011 at 10:00 pm

      Apols… left one command out ..

      # Change path of server private Key.
      – SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
      + SSLCertificateKeyFile /etc/pki/tls/private/ca.key

      This is now in place, but I can’t get Apache to restart – just fails :-(

  2. Dotan Cohen said on December 7, 2010 at 2:57 pm

    Thanks, Jack, the section on creating the certificate is excellent.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.