Creating a CentOS 7 Apache SSL Certificate (Self-Signed)
In this guide, for Apache web server running on CentOS 7
We will create a self-signed SSL/TLS certificate.
The purpose is to encrypt the traffic between the server and the client via HTTPS.
This method is typically used for test environments, intranet systems or development servers.
What Will You Learn in This Guide?
- Enable SSL support for Apache
- Generating certificates and private keys with OpenSSL
- Configuring HTTPS via Apache VirtualHost
- HTTP → HTTPS redirect
- Verify HTTPS connection
Important Note
Self-signed certificates give browsers a warning because they are not signed by a trusted authority.
It is recommended to use Let's Encrypt SSL certificate for public websites.
Prerequisites
- CentOS 7 server
- User with sudo privilege
- Apache HTTP Server installed
Installing Apache SSL Module
The mod_ssl module is required for Apache to process HTTPS traffic.
sudo yum install mod_ssl
This command installs the SSL module and enables it for Apache.
Restart the Apache service:
sudo systemctl restart httpd
Creating an SSL Certificate
2.1 Creating a Private Key Index
The security of private keys is critical.
sudo mkdir /etc/ssl/private
sudo chmod 700 /etc/ssl/private
Only the root user can access this directory.
2.2 Certificate and Key Generation
You can create certificates and keys using OpenSSL.
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
-keyout /etc/ssl/private/apache-selfsigned.key \
-out /etc/ssl/certs/apache-selfsigned.crt
This command:
Generates a 2048-bit RSA key Creates a certificate valid for 1 year Saves the private key in the /etc/ssl/private directory
Enter your domain name or server IP address in the Common Name field.
2.3 Creating Diffie-Hellman Parameters
Recommended for safer key exchange.
sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
This process may take several minutes.
Apache HTTPS VirtualHost Configuration
Create a new Apache configuration file.
sudo nano /etc/httpd/conf.d/ornek.com.conf
Example HTTPS VirtualHost configuration:
<VirtualHost *:443>
ServerName ornek.com
DocumentRoot /var/www/html
SSLEngine on
SSLCertificateFile /etc/ssl/certs/apache-selfsigned.crt
SSLCertificateKeyFile /etc/ssl/private/apache-selfsigned.key
</VirtualHost>
Secure SSL Settings (Recommended)
You can add the following security settings inside the VirtualHost block.
SSLProtocol -all +TLSv1.2
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM
SSLHonorCipherOrder On
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
SSLCompression off
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
HTTP → HTTPS Redirect (Optional)
Create a new configuration file to automatically redirect HTTP traffic to HTTPS.
sudo nano /etc/httpd/conf.d/http-redirect.conf
<VirtualHost *:80>
ServerName ornek.com
Redirect "/" "https://ornek.com/"
</VirtualHost>
Implementing Apache Configuration
Check the configuration first:
sudo apachectl configtest
If you see Syntax OK output, the configuration is correct.
Restart the Apache service:
sudo systemctl restart httpd
Firewall Settings
Turn on HTTP and HTTPS access:
sudo firewall-cmd --add-service=http --permanent
sudo firewall-cmd --add-service=https --permanent
sudo firewall-cmd --reload
Testing HTTPS Connection
Open the following address from the browser:
https://ornek.com
The browser may display a security warning. This is normal for self-signed certificates.
Frequently Asked Questions (FAQ)
- Is this certificate safe?
It encrypts data traffic but is not verified by the certificate authority.
- Can it be used in a production environment?
No. Let's Encrypt or commercial SSL certificates are recommended for the production environment.
- What happens when the certificate expires?
You must create a new self-signed certificate.
- Is HTTP → HTTPS redirect necessary?
Recommended for security reasons.
Result
Completed HTTPS configuration for Apache on CentOS 7. Data traffic between the server and the client is now transmitted encrypted.
It is recommended to use Let's Encrypt SSL in real projects. You can set up this infrastructure on GenixNode servers in minutes.