create self-signed certificate in apache

How To Create a Self-Signed SSL Certificate for Apache in Ubuntu/Debian

Sreeram Sreenivasan

Last updated on July 19th, 2024 at 06:12 am

SSL certificates allow you to securely transfer data to/from server, without the possibility of anyone else intercepting it. They also help in site verification. In this article, we will look at how to create self-signed SSL certificate for Apache. However, it is important to note that self-signed certificates can be used only if you don’t have public facing domain names and web pages. For publicly accessible websites, you need to install third-party SSL certificates.

What is Self-Signed Certificate

There are two types of SSL certificates – self-signed and those signed by reputed third-parties such as RapidSSL, Comodo, etc. Generally, SSL Certificates are signed by a third-party Certificate Authority (CA). But a self-signed certificate is signed by its own creator and not a public authority. As a result, they are not recognized, by default, by web browsers. When you use self-signed certificates, web browsers will immediately show a warning message saying the ‘page is not secure’. But there is a workaround for this. You will need to force the web browser to trust your self-signed certificate by adding it to the list of trusted Certificate Authority. Nevertheless, self-signed certificates have their benefits and should not be completely ignored.

Why Need Self-Signed Certificate

There are several reasons why we need self-signed certificates. SSL certificates issued by public CA’s are not free and require annual payments. On the other hand, self-signed certificates are free. They encrypt data using the same algorithms as those issued by public CA’s. So they are very useful in development environments and intranet systems, which are not publicly accessible but need network data to be encrypted.

Secondly, public SSL certificates expire after one or more years. You need to keep paying increasing amount of money to renew it and re-install new certificates. On the other hand, self-signed SSL certificates do not expire so you can create them once and use them forever.

Thirdly, SSL certificates issues by public CA’s can be revoked anytime, at their discretion. But self-signed certificates can never be revoked by anyone, so you are at your own mercy.

How To Create a Self-Signed SSL Certificate for Apache

Here are the steps to create self-signed SSL certificate for Apache. When you install a third-party SSL certificate, we need to create a certificate signing request (CSR), submit it to certificate authority to obtain the SSL certificates from them. In case of self-signed certificate, there is no such requirement, since you are the certificate authority. You can directly create the certificates with a single command.

1. Create Self-Signed Certificate

We will use OpenSSL to create self-signed certificate. It is available for Windows, Linux and Mac systems and is free to use. Open terminal and run the following command

$ sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/selfsigned.key -out /etc/ssl/certs/selfsigned.crt

Let us look at the above command in detail,

  • openssl – command line tool to create self-signed certificate
  • req – specifies to use X.509 standard for certificate creation, making it more secure.
  • -x509 – for generation of self-signed certificate as opposed to certificate signing request
  • -nodes – tells openSSL to secure our certificate without a passphrase
  • -days 365 – specifies validity of SSL certificate, that is, 365 days
  • -newkey rsa:2048 – tells openSSL to create certificate as well as the key together. rsa:2048 indicates that RSA key should be 2048 bits long
  • -keyout – location to place generated private key file
  • -out – location to place generated certificate

You will see the following set of prompts where you need to enter various details about your website like its country name, state, etc.

Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:California
Locality Name (eg, city) []:San Francisco
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example.com
Organizational Unit Name (eg, section) []:  IT Department
Common Name (e.g. server FQDN or YOUR name) []:server_IP_address
Email Address []:admin@example.com

The most important line in above prompts is for Common Name (e.g server FQDN or YOUR name). Here you need to correctly specify your website’s domain or public IP address.

In our case, both the certificate and private key file will be generated at /etc/ssl.

2. Configure Apache to Use SSL Certificate

We will edit the default SSL configuration file that ships with Apache, to enable our SSL certificate. Run the following command

$ sudo vi /etc/apache2/sites-available/default-ssl.conf

You will see a virtual host tag in the file that looks something like, 

<IfModule mod_ssl.c>
        <VirtualHost _default_:443>
                ServerAdmin webmaster@localhost

                DocumentRoot /var/www/html

                ErrorLog ${APACHE_LOG_DIR}/error.log
                CustomLog ${APACHE_LOG_DIR}/access.log combined

                SSLEngine on

                SSLCertificateFile      /etc/ssl/certs/ssl-cert-snakeoil.pem
                SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

                <FilesMatch "\.(cgi|shtml|phtml|php)$">
                                SSLOptions +StdEnvVars
                </FilesMatch>
                <Directory /usr/lib/cgi-bin>
                                SSLOptions +StdEnvVars
                </Directory>

        </VirtualHost>
</IfModule>

We will modify couple of lines in it to update the ServerAdmin, SSLCertificateFile and SSLCertificateKeyFile attributes. They are highlighted in bold.

<IfModule mod_ssl.c>
        <VirtualHost _default_:443>
                ServerAdmin admin@example.com

                DocumentRoot /var/www/html

                ErrorLog ${APACHE_LOG_DIR}/error.log
                CustomLog ${APACHE_LOG_DIR}/access.log combined

                SSLEngine on

                SSLCertificateFile      /etc/ssl/certs/selfsigned.crt
                SSLCertificateKeyFile /etc/ssl/private/selfsigned.key

                <FilesMatch "\.(cgi|shtml|phtml|php)$">
                                SSLOptions +StdEnvVars
                </FilesMatch>
                <Directory /usr/lib/cgi-bin>
                                SSLOptions +StdEnvVars
                </Directory>

        </VirtualHost>
</IfModule>

Save and quit the file.

3. Enable mod_ssl

We need mod_ssl Apache module to use SSL certificates on our Apache server. Run the following command to activate mod_ssl.

$ sudo a2enmod ssl

4. Activate SSL configuration

Run the following command to activate SSL configuration

$ sudo a2ensite default-ssl

5. Restart Apache Server

Run the following command to test Apache configuration. 

$ sudo apache2 -t

If you see no error, run the following command to restart Apache web server and apply changes.

$ sudo service apache2 restart

Conclusion

Hopefully, this article will help you create self-signed SSL certificate for Apache. We have learnt what is a self-signed certificate, how it is different from those SSL certificates signed by public CAs. We have also learnt how to generate self-signed certificate and install it in Apache server.

Ubiq makes it easy to visualize data, and monitor them in real-time dashboards. Try Ubiq for free.

Also read :
How to Use Apache Bench for Testing
How to Install memcached in Apache
How to Install Fail2ban in Apache
How to Remove .php from URL in Apache

Related posts:

How to Install SSL Certificate on Apache Windows
How to Redirect 404 to Homepage using .htaccess
How To Prevent Image Hotlinking in Apache/Wordpress
How to Enable TLS 1.3 in Apache, NGINX