Create and Install a Self-Signed SSL Certificate on Ubuntu
HTTPS (HTTP over SSL/TLS) encrypts communication between a web browser and a server, which is essential for protecting data during online banking or shopping. This security is provided by an SSL certificate. While public websites use certificates signed by a trusted Certificate Authority (CA), internal or development environments can use a self-signed certificate. It provides the same level of encryption but is not trusted by browsers by default.
This tutorial demonstrates how to generate a self-signed SSL certificate and configure the Apache web server to use it on Ubuntu 24.04 LTS.
Prerequisites
- An Ubuntu 24.04 server.
- A non-root user with sudo privileges.
- The Apache web server installed.
Step 1 — Install Apache and OpenSSL
First, ensure the Apache web server and OpenSSL toolkit are installed. OpenSSL is the core library used to generate the certificate and key.
sudo apt update
sudo apt install apache2 openssl -yStep 2 — Generate a Self-Signed SSL Certificate
Instead of a two-step process involving a Certificate Signing Request (CSR), you can generate the private key and the certificate in a single command. We will create a stronger 4096-bit key and a certificate valid for 365 days.
Create the SSL certificate and key files with the following command:
sudo openssl req -x509 -nodes -newkey rsa:4096 \
-keyout /etc/ssl/private/apache-selfsigned.key \
-out /etc/ssl/certs/apache-selfsigned.crt -days 365- -x509: Specifies that we want to create a self-signed certificate.
- -nodes: Skips the option to secure our private key with a passphrase. This is needed so Apache can read the file without manual intervention upon startup.
- -newkey rsa:4096: Creates a new 4096-bit RSA private key.
- -keyout: Specifies the destination for the private key file.
- -out: Specifies the destination for the certificate file.
- -days 365: Sets the certificate’s validity period.
You will be prompted to enter information for the certificate’s Distinguished Name (DN). For a self-signed certificate, these values are not strictly validated. The most important field is the Common Name, which should match your server’s domain name or IP address.
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:New York
Locality Name (eg, city) []:New York City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Company
Organizational Unit Name (eg, section) []:IT Department
Common Name (e.g. server FQDN or YOUR name) []:your_domain_or_ip
Email Address []:[email protected]Next, secure the private key by restricting its permissions. Only the root user should be able to read this file.
sudo chmod 600 /etc/ssl/private/apache-selfsigned.keyYour certificate and private key are now ready.
Step 3 — Configure Apache to Use SSL
Now we will configure Apache to use the newly generated certificate.
Edit the Default SSL Virtual Host
A default SSL configuration is available, which we will adapt. Open the file with a text editor:
sudo nano /etc/apache2/sites-available/default-ssl.conf
Modify the file to include your server’s name and point to your new certificate and key files.
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin webmaster@localhost
# Update ServerName to your server's IP address or domain
ServerName your_domain_or_ip
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/certs/apache-selfsigned.crt
SSLCertificateKeyFile /etc/ssl/private/apache-selfsigned.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
</VirtualHost>
</IfModule>
Save and close the file (Ctrl+X, Y, Enter).
Configure Redirect from HTTP to HTTPS
To ensure all traffic is encrypted, we will redirect standard HTTP requests to HTTPS.
sudo nano /etc/apache2/sites-available/000-default.conf
Modify the file to add a permanent redirect:
<VirtualHost *:80>
ServerAdmin webmaster@localhost
# Update ServerName to your server's IP address or domain
ServerName your_domain_or_ip
DocumentRoot /var/www/html
# Redirect all traffic to HTTPS
Redirect permanent "/" "https://your_domain_or_ip/"
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
Save and close the file.
Enable Apache Modules and Sites
Finally, enable the SSL module, the headers module (a good practice for SSL configurations), and the new SSL site configuration.
sudo a2enmod ssl headers
sudo a2ensite default-ssl
Test Configuration and Restart Apache
First, check for any syntax errors in your Apache files:
sudo apache2ctl configtest
If you see Syntax OK, restart the Apache service to apply all changes:
sudo systemctl restart apache2
Verify that the service is active and running:
sudo systemctl status apache2Step 4 — Verify the SSL Configuration
Open your web browser and navigate to https://your_domain_or_ip.
You will see a browser warning page stating that the connection is not private or that the certificate is not trusted. This is expected because the certificate was signed by you, not a trusted CA.
Click “Advanced” and then “Proceed to your_domain_or_ip“. You should now see the default Apache2 Ubuntu page, and your browser’s address bar will show a padlock icon (though it may be crossed out or have a warning), indicating that the connection is encrypted.
Recent Comments