How To Create a SSL Certificate for Apache

Tutorial Difficulty Level    

SSL is based on the mathematical intractability of resolving a large integer into its also-large prime factors. Using this, we can encrypt information using what’s called a “private-public key pair”. Certificate authorities can issue SSL certificates that verify the authenticity of such a secured connection, and on the same note, a self-signed certificate can be produced without third-party support. By the end of the tutorial, you will have a web server accessible via HTTPS using a self-signed certificate.

It is important to note that without proper certificate from a proper certificate authority, your browser will show warnings about the security of the site when viewed over HTTPS, even thought it is more secure than it was previously.

If creating a website in the real world and data security (especially payment details) is a concern, have a look at Let’s Encrypt – a free, automated, and open certificate authority brought to you by the non-profit Internet Security Research Group (ISRG).

Self-signed certificates are fine for use internally in your organisation, and once the user accepts the browser warning the first time, they shouldn’t see it again. So let’s begin.

We will carry out these followig steps on a Debian Linux server that we have already installed the apache2 and the sudo packages on to.

Enable the SSL Module

First, enable the Apache SSL module.

The default Apache website comes with a useful template for enabling SSL, so we will activate the default website now.

Restart Apache to put these changes into effect.

Now it’s time to generate our cert.

Create a Self-Signed SSL Certificate

First, let’s create a new directory where we can store the private key and certificate.

Next, we will request a new certificate and sign it. First, generate a new certificate and a private key to protect it.

  • The days flag specifies how long the certificate should remain valid. With this example, the certificate will last for one year
  • The keyout flag specifies the path to our generated key
  • The out flag specifies the path to our generated certificate
Invoking this command will result in a series of prompts.

Common Name: Specify your server’s IP address or hostname. This field matters, since your certificate needs to match the domain (or IP address) for your website. Fill out all other fields at your own discretion.

Example answers are shown below.

Set the file permissions to protect your private key and certificate.

Your certificate and the private key that protects it are now ready for Apache to use!

Configure Apache to Use SSL

After making these change, our server will begin serving HTTPS instead of HTTP requests for the default site.

Open the server configuration file using nano or your favorite text editor.

Locate the section that begins with <VirtualHost _default_:443> and make the following changes.

Add a line with your server name directy below the ServerAdmin email line. This can be your domain name or IP address:

/etc/apache2/sites-enabled/default
ServerAdmin webmaster@localhost
ServerName mysite.com:443

Find the following two lines, and update the paths to match the locations of the certificate and key we generated earlier. If you purchased a certificate or generated your certificate elsewhere, make sure the paths here match the actual locations of your certificate and key:

SSLCertificateFile /etc/apache2/ssl/apache.crt
SSLCertificateKeyFile /etc/apache2/ssl/apache.key

Once these changes have been made, check that your virtual host configuration file matches the following.

<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin webmaster@localhost
ServerName example.com:443
DocumentRoot /var/www/html

. . .
SSLEngine on

. . .

SSLCertificateFile /etc/apache2/ssl/apache.crt
SSLCertificateKeyFile /etc/apache2/ssl/apache.key

Save and exit the file.

Restart Apache to apply the changes.

You can visit your site in a web browser, using HTTPS in the URL (https://site.com) or if not using a DNS entry, use the IP address of the server (eg https://10.10.22.30). Your browser will warn you that the certificate is self-signed. You should be able to view the certificate and confirm that the details match what you entered earlier in this tutorial.