How to Create and Install a Self-Signed SSL Certificate on Ubuntu

When you are shopping or banking online, you want to make sure the websites you are on are using HTTPS, which you can verify by noting a green padlock icon is in the address bar. HTTPS is the secure version of HTTP, a protocol used between a browser and a web server. Technically, HTTPS refers to HTTP over Secure Socket Layer (SSL). HTTPS means all communications between your browser and the web server are encrypted.

Behind HTTPS, an SSL certificate plays an important role in building trust between a browser and a web server.

In short, an SSL certificate is a web server’s digital certificate issued by a third party that verifies the identity of the web server and its public key.

A self-signed certificate is a certificate that is not signed by a certificate authority (CA). It is used internally within labs or business environments. However, this certificate has the same level of encryption as trusted certificates.

In this tutorial, we will show you how to generate a self-signed certificate and configure Apache to use this certificate.

In This Article

• Install Apache Web Server
• Generate Self-Signed Certificate
• Configure Apache to Use SSL
• Verify Your SSL Server

Step 1 – Install Apache Web Server

Before starting, an Apache webserver must be installed on your server. If not installed, you can install it with the following command:

apt-get install apache2 openssl -y

Once Apache is installed, you can proceed to the next step.

Step 2 – Generate Self-Signed Certificate

SSL uses public and private keys. The private key resides on the server and is used to encrypt the content, while the public key is used to decrypt the content and is shared among the clients.

First, you will need to generate a private key and a certificate signing request (CSR) for your domain. You can generate it with the following command:

openssl req -nodes -newkey rsa:2048 -keyout /etc/ssl/private/private.key -out 
/etc/ssl/private/request.csr

You will be asked to provide your certificate information including Common Name, Organization, City, State, and Country as shown below:

Generating a RSA private key
..........................................................................+++++
............................................................................................+++++
writing new private key to '/etc/ssl/private/private.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Newyork
Locality Name (eg, city) []:Newyork
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Atlantic
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:Atlantic
Email Address []:[email protected]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Once your request.csr is generated, you can generate the SSL certificate with the following command:

openssl x509 -in /etc/ssl/private/request.csr -out /etc/ssl/private/certificate.crt -req -signkey 
/etc/ssl/private/private.key -days 365

You should get the following output:

Signature ok
subject=C = US, ST = Newyork, L = Newyork, O = Atlantic, OU = IT, CN = Atlantic, 
emailAddress = [email protected]
Getting Private key

At this point, the certificate (certificate.crt) and key (private.key) file are ready to be used with the Apache webserver.

Step 3 – Configure Apache to Use SSL

Now, you will need to configure Apache to use the certificate which you have generated in the previous step.

First, open the Apache default SSL configuration file:

nano /etc/apache2/sites-available/default-ssl.conf

Define your domain name and SSL certificate as shown below:

<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin [email protected]
ServerName your-server-ip
DocumentRoot /var/www/html

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

SSLEngine on
SSLCertificateFile /etc/ssl/private/certificate.crt
SSLCertificateKeyFile /etc/ssl/private/private.key

<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>

</VirtualHost>
</IfModule>

Save and close the file, then enable the virtual host file with the following command:

a2ensite default-ssl.conf

Next, open the Apache default virtual host configuration file as shown below:

nano /etc/apache2/sites-available/000-default.conf

Define your domain name and add a Redirect directive, pointing all traffic to the SSL version of the site:

<VirtualHost *:80>

ServerAdmin [email protected]
ServerName your-server-ip
DocumentRoot /var/www/html

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

Redirect "/" "https://your-server-ip/
</VirtualHost>

Next, enable the SSL and header module with the following command:

a2enmod ssl
a2enmod headers

Finally, reload the Apache service to implement the changes:

systemctl reload apache2

At this point, your Apache web server is configured to use an SSL certificate.

Step 4 – Verify Your SSL Server

Now, open your web browser and type the URL https://your-server-ip. You will be redirected to the warning page:

This is because your certificate is not signed by trusted certificate authorities. This is expected and normal. Just ignore it and click on the proceed to your host. You will be redirected to the Apache default page:

In the browser address bar, you will see a lock with a “not secure” notice. That means the certificate is not validated but is still encrypting your connection.

Conclusion

In this guide, you learned how to generate a self-signed certificate and configure your Apache web server to use this certificate for client connections. You can now easily deploy the SSL in your internal network and encrypt the connections. Try out a self-signed certificate on dedicated server hosting from Atlantic.Net!

Learn more about our dedicated servers.