Create self-signed SSL certificates for Apache on Ubuntu

To increase the security of your web applications, it is a standard process to enable HTTPS/SSL/TLS. Unfortunately, purchasing certificates can often be very expensive. Luckily, you can create a self-signed certificate for free for casual use or testing.

These steps are for Ubuntu, I wrote similar documentation for the Windows platform that you can find way back in my blog archives!

NOTE: As certificates generated in this manner are not verified by any recognized authority, many browsers will warn users (often in frightening language) about their insecurity. As stated above, these are best used only for internal use.

  1. First you will need to have apache2 installed, at a minimum you need to run:
    sudo apt-get install apache2
  2. Enable the SSL module:
    sudo a2enmod ssl

  3. Create the folder to store the keys and certificates:
    sudo mkdir /etc/apache2/ssl

  4. Generate a private key and certificate:

    sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt

    Enter reasonable values for the fields in question.
    For FQDN Common Name enter *.domain.com for wildcard support!

  5. Edit the config file:

    sudo vi /etc/apache2/sites-available/default-ssl.conf

  6. Un-comment or update the following lines:

    ServerName YOURDOMAIN.COM
    ServerAlias WWW.YOURDOMAIN.COM
    SSLCertificateFile /etc/apache2/ssl/apache.crt
    SSLCertificateKeyFile /etc/apache2/ssl/apache.key

  7. Enable to SSL website and restart:

    sudo a2ensite default-ssl.conf
    sudo service apache2 reload
    sudo service apache2 restart

  8. Test it out… provided your firewall routes port 443 to your server.

    https://www.ssllabs.com/ssltest/analyze.html?d=YOURDOMAIN.COM

REFERENCES:

Enabling A Secure Apache Server w/SSL Certificates

If you’ve taken some time to wander around my site, you may have noticed that I also have SSL enabled (with https://www.giantgeek.com/ url’s). Here’s the steps you can take on your site/server – provided you have proper access.

Download and install Apache-OpenSSL and OpenSSL – I’ve found http://hunter.campbus.com/ to be a reliable source for precompiled binaries for Win32 platforms.

Install OpenSSL, and add the following environmental variable.
OPENSSL_CONF=[apache_root]/bin/openssl.conf (.cnf?)

Generate a private key:
openssl genrsa —des3 —out filename.key 1024

Create CSR Request…
openssl req —new —key filename.key —out filename.csr

This step will ask for several pieces of information, here’s my example:

Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Illinois
Locality Name (eg, city) []:Carol Stream
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Dean Scott Fredrickson
Organizational Unit Name (eg, section) []:Giant Geek Communications
Common Name (eg, YOUR name) []:www.giantgeek.com
Email Address []:admin@giantgeek.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:xxxxxxxxxxxxxx
An optional company name []:Giant Geek Communications

You can now send this CSR to a valid Certifying Authority…
I currently use http://www.comodo.com/.

It’s very likely that the CA will need to verify your identity, typically this requires you to fax a copy of your id card/passport or business papers. A D-U-N-S Number (from Dun and Bradstreet) will make this easier for businesses.

If you don’t plan on having lots of users, you can create a Self-signed certificate…
openssl x509 —req —days 30 —in filename.csr —signkey filename.key —out filename.crt

You’ll need to install the files received from the CA, but it’s pretty trivial so I’ll leave it for later.