In this tutorial I will guide you through the process of creating and self-signing a SSL certificate, installing that certificate in Apache, and configuring Apache for SSL.

This tutorial assumes that you have already installed Apache.

Install OpenSSL

This is required to create SSL Certificates:

sudo apt-get install openssl

Create SSL Certificate

Generate a server key:

cd /etc/apache2
sudo mkdir ssl
cd ssl
sudo openssl genrsa -des3 -out server.key 4096

You will be prompted for a pass phrase. This can be whatever you want. You will need to enter this pass phrase when doing things with this SSL Certificate later.

Create a version of the server key that does not require a password:

sudo openssl rsa -in server.key -out server.key.insecure
sudo mv server.key
sudo mv server.key.insecure server.key

Protect these files by setting the owner to root and setting the strictest possible file permissions:

cd /etc/apache2/ssl
sudo chown root:root *
sudo chmod 000 *

Self-Sign SSL Certificate

Create a Certificate Signing Request for your server key:

openssl req -new -key server.key -out server.csr

You will be prompted to enter a series of information such as Country Name, State or Province Name, etc. Since you're Self-Signing this SSL Certificate and using it for your local development environment, or a remote testing environment, this can be whatever you want.

Now sign the Certificate Signing Request:

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

Configure Apache for SSL

Enable mod_ssl in Apache:

cd /etc/apache2/mods-enabled
sudo ln -s ../mods-available/ssl.load ssl.load
sudo ln -s ../mods-available/ssl.conf ssl.conf

Edit Apache's default SSL configuration file:

cd /etc/apache2/sites-available
sudo vim default-ssl

Change the following line:

SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem


SSLCertificateFile /etc/apache2/ssl/server.crt

And this line:

SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key


SSLCertificateKeyFile /etc/apache2/ssl/server.key

Using the Password-Protected Server Key

If you want to use the password-protected server key instead, change the last line you modified of the default SSL configuration file to the following:

SSLCertificateKeyFile /etc/apache2/ssl/

It's worth noting that if you use the password-protected server key, every time you restart/start Apache you will be prompted to enter its Pass Phrase.

Add symlink to SSL Configuration file in your sites-enabled directory:

cd /etc/apache2/sites-enabled
sudo ln -s ../sites-available/default-ssl 000-default-ssl

Restart Apache:

sudo /etc/init.d/apache2 restart

Testing / Debugging

If things are working, you should be able to access the sites hosted on your server with secure HTTP. If you are on your local machine, try the following:


If you are using Chrome, you should be presented with a screen that says, "The site's security certificate is not trusted!" Just hit the "Process anyway" button and you'll be able to access your site with the new Self-Signed SSL Certificate. If you are getting the "SSL connection error" page, that means something is not configured properly. Here are some possible issues that could be preventing your SSL configuration from working properly:

The SSL Configuration file is not being included

How you go about checking this will vary, depending upon your Apache installation. Check Apache's primary configuration file, and make sure the default SSL configuration file is being included.

Something besides Apache could be listening to port 443

If you are working on your personal computer, the culprit is probably a messaging client such as Skype. Otherwise, it might be another web server installed on the machine. To find out quickly whether or not port 443 is being listened to by something besides Apache, you must first stop Apache:

sudo /etc/init.d/apache2 stop

Then use the following command to view what's going on with the computer's ports:

netstat -antp