Create and Install a Self-Signed SSL Certificate on Ubuntu

HTTPS (HTTP over SSL/TLS) encrypts communication between a web browser and a server, which is essential for protecting data during online banking or shopping. This security is provided by an SSL certificate. While public websites use certificates signed by a trusted Certificate Authority (CA), internal or development environments can use a self-signed certificate. It provides the same level of encryption but is not trusted by browsers by default.

This tutorial demonstrates how to generate a self-signed SSL certificate and configure the Apache web server to use it on Ubuntu 24.04 LTS.

Prerequisites

• An Ubuntu 24.04 server.
• A non-root user with sudo privileges.
• The Apache web server installed.

Step 1 — Install Apache and OpenSSL

First, ensure the Apache web server and OpenSSL toolkit are installed. OpenSSL is the core library used to generate the certificate and key.

sudo apt update
sudo apt install apache2 openssl -y

sudoaptupdatesudoaptinstallapache2openssl-y

Step 2 — Generate a Self-Signed SSL Certificate

Instead of a two-step process involving a Certificate Signing Request (CSR), you can generate the private key and the certificate in a single command. We will create a stronger 4096-bit key and a certificate valid for 365 days.

Create the SSL certificate and key files with the following command:

sudoopensslreq-x509-nodes-newkeyrsa:4096\-keyout /etc/ssl/private/apache-selfsigned.key\-out /etc/ssl/certs/apache-selfsigned.crt-days365

• -x509: Specifies that we want to create a self-signed certificate.
• -nodes: Skips the option to secure our private key with a passphrase. This is needed so Apache can read the file without manual intervention upon startup.
• -newkey rsa:4096: Creates a new 4096-bit RSA private key.
• -keyout: Specifies the destination for the private key file.
• -out: Specifies the destination for the certificate file.
• -days 365: Sets the certificate’s validity period.

You will be prompted to enter information for the certificate’s Distinguished Name (DN). For a self-signed certificate, these values are not strictly validated. The most important field is the Common Name, which should match your server’s domain name or IP address.

CountryName(2 lettercode) [AU]:USStateorProvinceName(full name) [Some-State]:New YorkLocalityName(eg, city) []:New York CityOrganizationName(eg, company) [Internet Widgits Pty Ltd]:My CompanyOrganizationalUnitName(eg, section) []:IT DepartmentCommonName(e.g. serverFQDNorYOURname) []:your_domain_or_ipEmailAddress[]:[email protected]

Next, secure the private key by restricting its permissions. Only the root user should be able to read this file.

sudochmod600/etc/ssl/private/apache-selfsigned.key

Your certificate and private key are now ready.

Step 3 — Configure Apache to Use SSL

Now we will configure Apache to use the newly generated certificate.

Edit the Default SSL Virtual Host
A default SSL configuration is available, which we will adapt. Open the file with a text editor:

sudonano/etc/apache2/sites-available/default-ssl.conf

Modify the file to include your server’s name and point to your new certificate and key files.

<IfModule mod_ssl.c><VirtualHost_default_:443>ServerAdminwebmaster@localhost# Update ServerName to your server's IP address or domainServerNameyour_domain_or_ipDocumentRoot/var/www/htmlErrorLog${APACHE_LOG_DIR}/error.logCustomLog${APACHE_LOG_DIR}/access.logcombinedSSLEngineonSSLCertificateFile/etc/ssl/certs/apache-selfsigned.crtSSLCertificateKeyFile/etc/ssl/private/apache-selfsigned.key<FilesMatch"\.(cgi|shtml|phtml|php)$">SSLOptions+StdEnvVars</FilesMatch><Directory/usr/lib/cgi-bin>SSLOptions+StdEnvVars</Directory></VirtualHost></IfModule>

Save and close the file (Ctrl+X, Y, Enter).

Configure Redirect from HTTP to HTTPS

To ensure all traffic is encrypted, we will redirect standard HTTP requests to HTTPS.

sudonano/etc/apache2/sites-available/000-default.conf

Modify the file to add a permanent redirect:

<VirtualHost *:80>ServerAdminwebmaster@localhost# Update ServerName to your server's IP address or domainServerNameyour_domain_or_ipDocumentRoot/var/www/html# Redirect all traffic to HTTPSRedirectpermanent"/""https://your_domain_or_ip/"ErrorLog${APACHE_LOG_DIR}/error.logCustomLog${APACHE_LOG_DIR}/access.logcombined</VirtualHost>

Save and close the file.

Enable Apache Modules and Sites
Finally, enable the SSL module, the headers module (a good practice for SSL configurations), and the new SSL site configuration.

sudoa2enmodsslheaderssudoa2ensitedefault-ssl

Test Configuration and Restart Apache
First, check for any syntax errors in your Apache files:

sudoapache2ctlconfigtest

If you see Syntax OK, restart the Apache service to apply all changes:

sudosystemctlrestartapache2

Verify that the service is active and running:

sudosystemctlstatusapache2

Step 4 — Verify the SSL Configuration

Open your web browser and navigate to https://your_domain_or_ip.

You will see a browser warning page stating that the connection is not private or that the certificate is not trusted. This is expected because the certificate was signed by you, not a trusted CA.

Click “Advanced” and then “Proceed to your_domain_or_ip”. You should now see the default Apache2 Ubuntu page, and your browser’s address bar will show a padlock icon (though it may be crossed out or have a warning), indicating that the connection is encrypted.

Want to learn more, check out our Tech Quickys section of the site.