create self-signed certificate in apache

How To Create a Self-Signed SSL Certificate for Apache in Ubuntu/Debian

Self-signed certificates allow you to securely transfer data to/from server, without the possibility of anyone else intercepting it. They also help in site verification. In this article, we will look at how to create self-signed SSL certificate for Apache. However, it is important to note that self-signed certificates can be used only if you don’t have public facing domain names and web pages. For publicly accessible websites, you need to install third-party SSL certificates


How To Create a Self-Signed SSL Certificate for Apache

Here are the steps to create self-signed SSL certificate for Apache.


1. Create Self-Signed Certificate

We will use OpenSSL to create self-signed certificate. Open terminal and run the following command

$ sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/selfsigned.key -out /etc/ssl/certs/selfsigned.crt

Let us look at the above command in detail,

  • openssl – command line tool to create self-signed certificate
  • req – specifies to use X.509 standard for certificate creation, making it more secure.
  • -x509 – for generation of self-signed certificate as opposed to certificate signing request
  • -nodes – tells openSSL to secure our certificate without a passphrase
  • -days 365 – specifies validity of SSL certificate, that is, 365 days
  • -newkey rsa:2048 – tells openSSL to create certificate as well as the key together. rsa:2048 indicates that RSA key should be 2048 bits long
  • -keyout – location to place generated private key file
  • -out – location to place generated certificate

You will see the following set of prompts where you need to enter various details about your website like its country name, state, etc.

Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:California
Locality Name (eg, city) []:San Francisco
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Ubiq
Organizational Unit Name (eg, section) []:  IT Department
Common Name (e.g. server FQDN or YOUR name) []:server_IP_address
Email Address []:admin@example.com

The most important line in above prompts is for Common Name (e.g server FQDN or YOUR name). Here you need to correctly specify your website’s domain or public IP address.

In our case, both the certificate and private key file will be generated at /etc/ssl.

Also read : How to Use Apache Bench for Testing


2. Configure Apache to Use SSL Certificate

We will edit the default SSL configuration file that ships with Apache, to enable our SSL certificate. Run the following command

$ sudo vi /etc/apache2/sites-available/default-ssl.conf

You will see a virtual host tag in the file that looks something like,

<IfModule mod_ssl.c>
        <VirtualHost _default_:443>
                ServerAdmin webmaster@localhost

                DocumentRoot /var/www/html

                ErrorLog ${APACHE_LOG_DIR}/error.log
                CustomLog ${APACHE_LOG_DIR}/access.log combined

                SSLEngine on

                SSLCertificateFile      /etc/ssl/certs/ssl-cert-snakeoil.pem
                SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

                <FilesMatch "\.(cgi|shtml|phtml|php)$">
                                SSLOptions +StdEnvVars
                </FilesMatch>
                <Directory /usr/lib/cgi-bin>
                                SSLOptions +StdEnvVars
                </Directory>

        </VirtualHost>
</IfModule>

Also read : How to Remove .php from URL in Apache

We will modify couple of lines in it to update the ServerAdmin, SSLCertificateFile and SSLCertificateKeyFile attributes.

<IfModule mod_ssl.c>
        <VirtualHost _default_:443>
                ServerAdmin admin@example.com

                DocumentRoot /var/www/html

                ErrorLog ${APACHE_LOG_DIR}/error.log
                CustomLog ${APACHE_LOG_DIR}/access.log combined

                SSLEngine on

                SSLCertificateFile      /etc/ssl/certs/selfsigned.crt
                SSLCertificateKeyFile /etc/ssl/private/selfsigned.key

                <FilesMatch "\.(cgi|shtml|phtml|php)$">
                                SSLOptions +StdEnvVars
                </FilesMatch>
                <Directory /usr/lib/cgi-bin>
                                SSLOptions +StdEnvVars
                </Directory>

        </VirtualHost>
</IfModule>

Save and quit the file.


3. Enable mod_ssl

Run the following command to activate mod_ssl

$ sudo a2enmod ssl

Also read : How to Install Fail2ban in Apache


4. Activate SSL configuration

Run the following command to activate SSL configuration

$ sudo a2ensite default-ssl

Also read : How to Install memcached in Apache


5. Restart Apache Server

Run the following command to test Apache configuration.

$ sudo apache2 -t

If you see no error, run the following command to restart Apache web server and apply changes.

$ sudo service apache2 restart

Hopefully, this article will help you create self-signed SSL certificate for Apache. Ubiq makes it easy to visualize data, and monitor them in real-time dashboards. Try Ubiq for free.