Linux Commands

Configure Apache With Self-Signed TLS/SSL Certificate on Ubuntu 16.04

Step 1: Generating the certificate

To create a private key, run the commands below

cd /etc/ssl/private
openssl genrsa -aes128 -out server.key 2048

When creating a private key, you will be prompted to create and confirm and password or passphrase. However, it’s best to create a key without a passphrase. To remove the passphrase from the key you just created, run the commands below.
openssl rsa -in server.key -out server.key
Step 2: Create A Certificate Signing Request
After creating the private key, run the commands below to create a certificate signing request using the server private key. Certificate signing request or CSR is used to provide some details of the entity and the resource you want to incorporate into the request.
To create a CSR, run the commands below
openssl req -new -days 365 -key server.key -out server.csr
When you run the above commands, you should be prompted with the questions below to incorporate into the certificate. Answer the highlighted lines as shown below. You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value, If you enter '.', the field will be left blank. Country Name (2 letter code) [AU]:IN State or Province Name (full name) [Some-State]:Karnataka Locality Name (eg, city) []:Bangalore Organization Name (eg, company) [Internet Widgits Pty Ltd]:Pinnacle Organizational Unit Name (eg, section) []:Software Common Name (e.g. server FQDN or YOUR name) []:Pinnacle Email Address [] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:

When you’re done above, continue below to create a public SSL certificate
Step 3: Create A Self-Signed Certificate

Now that the Private key and CSR are create, run the commands below to create a self-signed SSL certificate called server.crt that will be valid for 1000 days.

openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 365
Step 4: Apache virtual host configuration Navigate to the default Apache site config directory.
sudo nano /etc/apache2/sites-available/default-ssl.conf
This file tells the server where to look for the SSL certificate. With the comments removed, it should look like the following config.
<IfModule mod_ssl.c> <VirtualHost _default_:443> ServerAdmin webmaster@localhost DocumentRoot /var/www/html ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined SSLEngine on SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key <FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars </FilesMatch> <Directory /usr/lib/cgi-bin> SSLOptions +StdEnvVars </Directory> </VirtualHost> </IfModule>
Edit this line:
Add this right below the ServerAdmin line:
Now, edit these lines with our certificate location:
SSLCertificateFile /etc/apache2/ssl/apache.crt SSLCertificateKeyFile /etc/apache2/ssl/apache.key
Our final file should resemble this:
<IfModule mod_ssl.c> <VirtualHost _default_:443> ServerAdmin ServerName DocumentRoot /var/www/html ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined SSLEngine on SSLCertificateFile /etc/apache2/ssl/apache.crt SSLCertificateKeyFile /etc/apache2/ssl/apache.key <FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars </FilesMatch> <Directory /usr/lib/cgi-bin> SSLOptions +StdEnvVars </Directory> </VirtualHost> </IfModule>
Save and close the file.

Step 5: Enabling Apache SSL module

Enable the SSL module by typing:
sudo a2enmod ssl
Now enable the site we have just edited:
sudo a2ensite default-ssl.conf
Restart Apache:
sudo service apache2 restart
Let's access the new secure website! Open it in your browser (make sure you type https://).

Step 6: Redirect all HTTP traffic to HTTPS (Optional)
Open the Apache default virtual host file:
nano /etc/apache2/sites-available/000-default.conf
Add this line inside the <VirtualHost *:80> tag:
Redirect / https://YOUR_SERVER_IP_OR_DOMAIN/
Reload Apache configuration:
sudo service apache2 reload

Leave a Reply

Your email address will not be published. Required fields are marked *