TLS (Transport Layer Security) and its predecessor SSL (secure sockets layer) are secure protocols created in order to place normal traffic in a protected, encrypted wrapper.
These protocols allow traffic to be sent safely between remote parties without the possibility of the traffic being intercepted and read by someone in the middle. They are also instrumental in validating the identity of domains and servers throughout the internet by establishing a server as trusted and genuine by a certificate authority.
We are going to learn how to create a self-signed SSL certificate for Apache on an Ubuntu 14.04 server; it will allow you to be able to encrypt traffic to your server. Unfortunately it does not provide the benefit of third party validation of your server’s identity; it fulfills the requirements of those simply wanting to transfer information securely.
Fundamentals
These are necessary before you start.we will be operating as a non-root user with sudo privileges in this post. If you don’t have one, you can set up by following steps 1-4 in the ubuntu 14.04 initial server setup guides. Next is to have Apache installed. If you luck it, you can fix it by typing:
sudo apt-get updatesudo apt-get install apache2
Step One — Activate the SSL Module
SSL support comes standard in the Ubuntu 14.04 Apache package. You just have to enable it by taking the advantage of SSL on our system.
Enable the module by typing:
sudo a2enmod ssl
Then you have enabled SSL, you have to restart the web server for the change to be recognized:
sudo service apache2 restart
Web server now able to handle SSL if we enable it to do so.
Step Two — Create a Self-Signed SSL Certificate
We need to create a subdirectory within apache’s configuration hierarchy to place the certificate files that we will be making.
sudo mkdir /etc/apache2/ssl
we can now create the key and certificate:
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt
hit “ENTER”, you will be asked a number of questions.
The most important item that is requested is the line that reads “Common Name (e.g. server FQDN or YOUR name)”. You should enter the domain name you want to associate with the certificate, or the server’s public IP address if you do not have a domain name.
The questions appear like this:
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:New York
Locality Name (eg, city) []:New York City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Your Company
Organizational Unit Name (eg, section) []:Department of Kittens
Common Name (e.g. server FQDN or YOUR name) []:your_domain.com
Email Address []:[email protected]
Step Three — Configure Apache to Use SSL
With all that done, we are going to base this configuration on the default-ssl.conf file that contains some default SSL configuration.
Open file with root privileges:
sudo nano /etc/apache2/sites-available/default-ssl.conf
the file is, with comments removed:
<IfModule mod_ssl.c>
<VirtualHost default:443>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
<FilesMatch “.(cgi|shtml|phtml|php)$”>
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch “MSIE [2-6]”
nokeepalive ssl-unclean-shutdown
downgrade- 1.0 force-response-1.0
BrowserMatch “MSIE [17-9]” ssl-unclean-shutdown
</VirtualHost>
</IfModule>
After setting the normal things you configure for a virtual host (ServerAdmin, ServerName, ServerAlias, DocumentRoot),after changing the location where Apache looks for the SSL certificate and key. It will finally appear like this:<IfModule mod_ssl.c>
<VirtualHost default:443>
ServerAdmin [email protected]
ServerName your_domain.com
ServerAlias www.your_domain.com
DocumentRoot/var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile/etc/apache2/ssl/apache.crt
SSLCertificateKeyFile/etc/apache2/ssl/apache.key
<FilesMatch “.(cgi|shtml|phtml|php)$”>
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch “MSIE [2-6]”
nokeepalive ssl-unclean-shutdown
downgrade-1.0 force-response-1.0
BrowserMatch “MSIE [17-9]” ssl-unclean-shutdown
</VirtualHost>
</IfModule>
Save and exit file when done.
Step Four — Activate the SSL Virtual Host
Enabling is done by:
sudo a2ensite default-ssl.conf
Restart Apache to loadour new virtual host file:
sudo service apache2 restart
Step Five — Test your Setup
You can test your configuration by visiting your server’s domain name or public IP address after specifying.
You will get a warning that your browser cannot verify the identity of your server because it has not been signed by one of the certificate authorities that it trusts.
This is normal because we have self-signed our certificate, it will be able to encrypt communication. Just ht the “processed anyway “button.
You should have now a SSL enabled on your website. . This will help to secure communication between visitors and your site, but it will warn each user that the browser cannot verify the validity of the certificate.
