How to set up self-signed SSL and TLS certificates in Apache
Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are cryptographic protocols designed to provide secure communication over a computer network. While SSL is largely considered to be deprecated and insecure, TLS has become the standard for secure communications.
For those managing an Apache web server, you might require an SSL or TLS certificate for encrypted communication. Sometimes, especially in testing environments, self-signed certificates can be used instead of those provided by a Certificate Authority.
A self-signed certificate may not be suitable for production environments as browsers will often alert users that the certificate cannot be trusted. However, for development, testing, or internal use, they can be a cost-effective and quick solution.
Steps to configure self-signed SSL and TLS for Apache:
-
Open the terminal.
-
Create a directory to store your private key and certificate.
$ sudo mkdir -p /etc/apache2/ssl
-
Generate a private key and self-signed certificate with the OpenSSL command.
$ sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt
During the process, you'll be prompted to provide information for the certificate such as Country, State, and Common Name (domain name).
-
Enable mod_ssl..
$ sudo a2enmod ssl Considering dependency setenvif for ssl: Module setenvif already enabled Considering dependency mime for ssl: Module mime already enabled Considering dependency socache_shmcb for ssl: Enabling module socache_shmcb. Enabling module ssl. See /usr/share/doc/apache2/README.Debian.gz on how to configure SSL and create self-signed certificates. To activate the new configuration, you need to run: systemctl restart apache2
-
Open the VirtualHost configuration that you want to implement SSL using your preferred text editor.
$ sudo vi /etc/apache2/sites-available/example.com.conf
-
Find and update the SSL-related directives in the configuration file with the correct paths.
<VirtualHost *:443> ServerName example.com SSLEngine on SSLCertificateFile /etc/apache2/ssl/apache.crt SSLCertificateKeyFile /etc/apache2/ssl/apache.key </VirtualHost>
-
Enable the virtual host if you're using Ubuntu-based system and the site configuration is in the sites-available folder.
$ sudo a2ensite example.com Enabling site example.com. To activate the new configuration, you need to run: systemctl reload apache2
Make sure to backup any original configuration files before modifying them to avoid losing any previous settings. If everything is configured correctly, your site will be accessible via HTTPS using your self-signed certificate.
-
(Optional) Configure a redirect from HTTP to HTTPS to ensure that all traffic is encrypted.
<VirtualHost *:80> ServerName example.com Redirect permanent / https://example.com/ </VirtualHost>
-
Restart Apache to apply the changes.
$ sudo systemctl restart apache2 # Ubuntu, Debian, openSUSE and SLES $ sudo systemctl restart httpd # CentOS and Red Hat
-
Access the site via HTTPS to verify it's working.
$ curl -kv https://example.com * Trying 127.0.0.1:443... * Connected to example.com (127.0.0.1) port 443 (#0) * ALPN: offers h2,http/1.1 * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8): * TLSv1.3 (IN), TLS handshake, Certificate (11): * TLSv1.3 (IN), TLS handshake, CERT verify (15): * TLSv1.3 (IN), TLS handshake, Finished (20): * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.3 (OUT), TLS handshake, Finished (20): * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 * ALPN: server accepted http/1.1 * Server certificate: ##### snipped
