How to create a SSL Certificate on Apache for Ubuntu 14.04

June 20, 2013

Table of Contents

TLS (Transport Layer Security) and its predecessor SSL (secure sockets layer) are secure protocols created in order to place normal traffic in a protected, encrypted wrapper.

These protocols allow traffic to be sent safely between remote parties without the possibility of the traffic being intercepted and read by someone in the middle. They are also instrumental in validating the identity of domains and servers throughout the internet by establishing a server as trusted and genuine by a certificate authority.

We are going to learn how to create a self-signed SSL certificate for Apache on an Ubuntu 14.04 server; it will allow you to be able to encrypt traffic to your server. Unfortunately it does not provide the benefit of third party validation of your server’s identity; it fulfills the requirements of those simply wanting to transfer information securely.

Fundamentals

These are necessary before you start.we will be operating as a non-root user with sudo privileges in this post. If you don’t have one, you can set up by following steps 1-4 in the ubuntu 14.04 initial server setup guides. Next is to have Apache installed. If you luck it, you can fix it by typing:

sudo apt-get updatesudo apt-get install apache2

Step One — Activate the SSL Module

SSL support comes standard in the Ubuntu 14.04 Apache package. You just have to enable it by taking the advantage of SSL on our system.

Enable the module by typing:

sudo a2enmod ssl

Then you have enabled SSL, you have to restart the web server for the change to be recognized:

sudo service apache2 restart

Web server now able to handle SSL if we enable it to do so.

Step Two — Create a Self-Signed SSL Certificate

We need to create a subdirectory within apache’s configuration hierarchy to place the certificate files that we will be making.

sudo mkdir /etc/apache2/ssl

we can now create the key and certificate:

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt

hit  “ENTER”, you will be asked a number of questions.

The most important item that is requested is the line that reads “Common Name (e.g. server FQDN or YOUR name)”. You should enter the domain name you want to associate with the certificate, or the server’s public IP address if you do not have a domain name.

The questions appear like this:

Country Name (2 letter code) [AU]:US

State or Province Name (full name) [Some-State]:New York

Locality Name (eg, city) []:New York City

Organization Name (eg, company) [Internet Widgits Pty Ltd]:Your Company

Organizational Unit Name (eg, section) []:Department of Kittens

Common Name (e.g. server FQDN or YOUR name) []:your_domain.com

Email Address []:[email protected]

Step Three — Configure Apache to Use SSL

With all that done, we are going to base this configuration on the  default-ssl.conf file that contains some default SSL configuration.

Open file with root privileges:

sudo nano /etc/apache2/sites-available/default-ssl.conf

the file is, with comments removed:

<IfModule mod_ssl.c>   

        <VirtualHost default:443>       

           ServerAdmin [email protected]       

           DocumentRoot /var/www/html       

           ErrorLog ${APACHE_LOG_DIR}/error.log      

           CustomLog ${APACHE_LOG_DIR}/access.log combined        

           SSLEngine on       

           SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem       

           SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key       

           <FilesMatch “.(cgi|shtml|phtml|php)$”>                       

           SSLOptions +StdEnvVars       

          </FilesMatch>       

          <Directory /usr/lib/cgi-bin>                       

           SSLOptions +StdEnvVars       

          </Directory>       

           BrowserMatch “MSIE [2-6]”                       

           nokeepalive ssl-unclean-shutdown

           downgrade- 1.0 force-response-1.0       

           BrowserMatch “MSIE [17-9]” ssl-unclean-shutdown   

</VirtualHost>

</IfModule>

After setting the normal things you configure for a virtual host (ServerAdmin, ServerName, ServerAlias, DocumentRoot),after changing the location where Apache looks for the SSL certificate and key. It will finally appear like this:<IfModule mod_ssl.c>   

         <VirtualHost default:443>      

                   ServerAdmin [email protected]       

                   ServerName your_domain.com      

                  ServerAlias www.your_domain.com        

                  DocumentRoot/var/www/html       

                  ErrorLog ${APACHE_LOG_DIR}/error.log       

                  CustomLog ${APACHE_LOG_DIR}/access.log combined       

                  SSLEngine on       

                  SSLCertificateFile/etc/apache2/ssl/apache.crt

                 SSLCertificateKeyFile/etc/apache2/ssl/apache.key       

                <FilesMatch “.(cgi|shtml|phtml|php)$”>

                 SSLOptions +StdEnvVars       

                </FilesMatch>       

                <Directory /usr/lib/cgi-bin>  

                      SSLOptions +StdEnvVars       

               </Directory>      

               BrowserMatch “MSIE [2-6]”

                        nokeepalive ssl-unclean-shutdown

                        downgrade-1.0 force-response-1.0

                BrowserMatch “MSIE [17-9]” ssl-unclean-shutdown

    </VirtualHost>

</IfModule>

 

Save and exit file when done.

Step Four — Activate the SSL Virtual Host

Enabling is done by:

sudo a2ensite default-ssl.conf

Restart Apache to loadour new virtual host file:

sudo service apache2 restart

Step Five — Test your Setup

You can test your configuration by visiting your server’s domain name or public IP address after specifying.

You will get a warning that your browser cannot verify the identity of your server because it has not been signed by one of the certificate authorities that it trusts.

This is normal because we have self-signed our certificate, it will be able to encrypt communication. Just ht the “processed anyway “button.

You should have now a SSL enabled on your website. . This will help to secure communication between visitors and your site, but it will warn each user that the browser cannot verify the validity of the certificate.

 

Share on
Facebook
Twitter
LinkedIn
Pinterest
More posts

Dedicated Servers Quick Guide

What is a Dedicated Servers? Why bother using a dedicated server over a VPS or Shared Hosting?A dedicated server is a server 100% dedicated to your website/project or business needs.

Veeam Launches Backup & Replication v7

When it comes to data protection, data replication and data recovery, these are very challenging tasks. Consolidation through virtualization has forced customers to retool automated protection and recovery methodologies in