How To Create a Self-Signed SSL Certificate for Apache

Securing the communication between a web server and its users is crucial for protecting sensitive data from potential threats. One way to achieve this security is through SSL (Secure Sockets Layer) certificates. While publicly accessible websites often use certificates obtained from trusted third-party certificate authorities, you can create a self-signed SSL certificate for development or internal purposes.

In this article, we’ll explore the steps to create a self-signed SSL certificate for Apache on Ubuntu/Debian systems.

1. Create Self-Signed Certificate Using OpenSSL

Open a terminal and run the following command to generate a self-signed certificate:

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/selfsigned.key -out /etc/ssl/certs/selfsigned.crt

Breaking down the command:

`openssl`: Command-line tool for OpenSSL.
`req`: Specifies the use of the X.509 standard for certificate creation.
`-x509`: Generates a self-signed certificate (as opposed to a certificate signing request).
`-nodes`: Creates a certificate without a passphrase for simplicity.
`-days 365`: Specifies the validity period of the SSL certificate, in this case, 365 days.
`-newkey rsa:2048`: Instructs OpenSSL to generate both the certificate and the key simultaneously, with a 2048-bit RSA key.
`-keyout`: Defines the location to store the generated private key file.
`-out`: Specifies the location to store the generated certificate.

During the process, you’ll be prompted to enter information about your website. The most crucial entry is the Common Name (CN), where you should correctly specify your website’s domain or public IP address.

2. Configure Apache to Use the SSL Certificate

Edit the default SSL configuration file for Apache:

sudo nano /etc/apache2/sites-available/default-ssl.conf

Find the `<VirtualHost>` section and modify the `ServerAdmin`, `SSLCertificateFile`, and `SSLCertificateKeyFile` attributes:

<IfModule mod_ssl.c>
  <VirtualHost _default_:443>
    ServerAdmin admin@example.com

    DocumentRoot /var/www/html

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    SSLEngine on

    SSLCertificateFile /etc/ssl/certs/selfsigned.crt
    SSLCertificateKeyFile /etc/ssl/private/selfsigned.key

    <FilesMatch "\.(cgi|shtml|phtml|php)$">
      SSLOptions +StdEnvVars
    </FilesMatch>
    
    <Directory /usr/lib/cgi-bin>
      SSLOptions +StdEnvVars
    </Directory>

  </VirtualHost>
</IfModule>

Save and exit the file.

3. Enable mod_ssl

Activate the mod_ssl module:

sudo a2enmod ssl

4. Activate SSL Configuration

Run the following command to activate the SSL configuration:

sudo a2ensite default-ssl

5. Restart Apache Server

Ensure there are no configuration errors:

sudo apache2 -t

If no errors are reported, restart the Apache web server to apply the changes:

sudo service apache2 restart

Congratulations! You have successfully created and configured a self-signed SSL certificate for Apache on your Ubuntu/Debian server. Keep in mind that while self-signed certificates are suitable for internal use, they are not recommended for public-facing websites where third-party certificates are preferred for enhanced security.

You may also like: