In this tutorial I will guide you through the process of creating and self-signing a SSL certificate, installing that certificate in Apache, and configuring Apache for SSL.

This tutorial assumes that you have already installed Apache.

Install OpenSSL

This is required to create SSL Certificates:

sudo apt-get install openssl

Create SSL Certificate

Generate a server key:

cd /etc/apache2sudo mkdir sslcd sslsudo openssl genrsa -des3 -out server.key 4096

You will be prompted for a pass phrase. This can be whatever you want. You will need to enter this pass phrase when doing things with this SSL Certificate later.

Create a version of the server key that does not require a password:

sudo openssl rsa -in server.key -out server.key.insecuresudo mv server.key server.key.securesudo mv server.key.insecure server.key

Protect these files by setting the owner to root and setting the strictest possible file permissions:

cd /etc/apache2/sslsudo chown root:root *sudo chmod 000 *

Self-Sign SSL Certificate

Create a Certificate Signing Request for your server key:

openssl req -new -key server.key -out server.csr

You will be prompted to enter a series of information such as Country Name, State or Province Name, etc. Since you're Self-Signing this SSL Certificate and using it for your local development environment, or a remote testing environment, this can be whatever you want.

Now sign the Certificate Signing Request:

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

Configure Apache for SSL

Enable mod_ssl in Apache:

cd /etc/apache2/mods-enabledsudo ln -s ../mods-available/ssl.load ssl.loadsudo ln -s ../mods-available/ssl.conf ssl.conf

Edit Apache's default SSL configuration file:

cd /etc/apache2/sites-availablesudo vim default-ssl

Change the following line:

SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem

To:

SSLCertificateFile /etc/apache2/ssl/server.crt

And this line:

SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

To:

SSLCertificateKeyFile /etc/apache2/ssl/server.key

Using the Password-Protected Server Key

If you want to use the password-protected server key instead, change the last line you modified of the default SSL configuration file to the following:

SSLCertificateKeyFile /etc/apache2/ssl/server.key.secure

It's worth noting that if you use the password-protected server key, every time you restart/start Apache you will be prompted to enter its Pass Phrase.


Add symlink to SSL Configuration file in your sites-enabled directory:

cd /etc/apache2/sites-enabledsudo ln -s ../sites-available/default-ssl 000-default-ssl

Restart Apache:

sudo /etc/init.d/apache2 restart

Testing / Debugging

If things are working, you should be able to access the sites hosted on your server with secure HTTP. If you are on your local machine, try the following:

https://localhost

If you are using Chrome, you should be presented with a screen that says, "The site's security certificate is not trusted!" Just hit the "Process anyway" button and you'll be able to access your site with the new Self-Signed SSL Certificate. If you are getting the "SSL connection error" page, that means something is not configured properly. Here are some possible issues that could be preventing your SSL configuration from working properly:

The SSL Configuration file is not being included

How you go about checking this will vary, depending upon your Apache installation. Check Apache's primary configuration file, and make sure the default SSL configuration file is being included.

Something besides Apache could be listening to port 443

If you are working on your personal computer, the culprit is probably a messaging client such as Skype. Otherwise, it might be another web server installed on the machine. To find out quickly whether or not port 443 is being listened to by something besides Apache, you must first stop Apache:

sudo /etc/init.d/apache2 stop

Then use the following command to view what's going on with the computer's ports:

netstat -antp