To increase the security of your web applications, it is a standard process to enable HTTPS/SSL/TLS. Unfortunately, purchasing certificates can often be very expensive. Luckily, you can create a self-signed certificate for free for casual use or testing.
These steps are for Ubuntu, I wrote similar documentation for the Windows platform that you can find way back in my blog archives!
NOTE: As certificates generated in this manner are not verified by any recognized authority, many browsers will warn users (often in frightening language) about their insecurity. As stated above, these are best used only for internal use.
- First you will need to have apache2 installed, at a minimum you need to run:
sudo apt-get install apache2
- Enable the SSL module:
sudo a2enmod ssl
- Create the folder to store the keys and certificates:
sudo mkdir /etc/apache2/ssl
- Generate a private key and certificate:
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt
Enter reasonable values for the fields in question.
For FQDN Common Name enter *.domain.com for wildcard support!
- Edit the config file:
sudo vi /etc/apache2/sites-available/default-ssl.conf
- Un-comment or update the following lines:
- Enable to SSL website and restart:
sudo a2ensite default-ssl.conf
sudo service apache2 reload
sudo service apache2 restart
- Test it out… provided your firewall routes port 443 to your server.
If you’ve taken some time to wander around my site, you may have noticed that I also have SSL enabled (with https://www.giantgeek.com/ url’s). Here’s the steps you can take on your site/server – provided you have proper access.
Download and install Apache-OpenSSL and OpenSSL – I’ve found http://hunter.campbus.com/ to be a reliable source for precompiled binaries for Win32 platforms.
Install OpenSSL, and add the following environmental variable.
Generate a private key:
openssl genrsa —des3 —out filename.key 1024
Create CSR Request…
openssl req —new —key filename.key —out filename.csr
This step will ask for several pieces of information, here’s my example:
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Illinois
Locality Name (eg, city) :Carol Stream
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Dean Scott Fredrickson
Organizational Unit Name (eg, section) :Giant Geek Communications
Common Name (eg, YOUR name) :www.giantgeek.com
Email Address :[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password :xxxxxxxxxxxxxx
An optional company name :Giant Geek Communications
You can now send this CSR to a valid Certifying Authority…
I currently use http://www.comodo.com/.
It’s very likely that the CA will need to verify your identity, typically this requires you to fax a copy of your id card/passport or business papers. A D-U-N-S Number (from Dun and Bradstreet) will make this easier for businesses.
If you don’t plan on having lots of users, you can create a Self-signed certificate…
openssl x509 —req —days 30 —in filename.csr —signkey filename.key —out filename.crt
You’ll need to install the files received from the CA, but it’s pretty trivial so I’ll leave it for later.