In this tutorial I will guide you through the process of creating and self-signing a SSL certificate, installing that certificate in Apache, and configuring Apache for SSL.
This tutorial assumes that you have already installed Apache.
Install OpenSSL
This is required to create SSL Certificates:
sudo apt-get install openssl
Create SSL Certificate
Generate a server key:
cd /etc/apache2 sudo mkdir ssl cd ssl sudo openssl genrsa -des3 -out server.key 4096
You will be prompted for a pass phrase. This can be whatever you want. You will need to enter this pass phrase when doing things with this SSL Certificate later.
Create a version of the server key that does not require a password:
sudo openssl rsa -in server.key -out server.key.insecure sudo mv server.key server.key.secure sudo mv server.key.insecure server.key
Protect these files by setting the owner to root and setting the strictest possible file permissions:
cd /etc/apache2/ssl sudo chown root:root * sudo chmod 000 *
Self-Sign SSL Certificate
Create a Certificate Signing Request for your server key:
openssl req -new -key server.key -out server.csr
You will be prompted to enter a series of information such as Country Name, State or Province Name, etc. Since you're Self-Signing this SSL Certificate and using it for your local development environment, or a remote testing environment, this can be whatever you want.
Now sign the Certificate Signing Request:
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Configure Apache for SSL
Enable mod_ssl in Apache:
cd /etc/apache2/mods-enabled sudo ln -s ../mods-available/ssl.load ssl.load sudo ln -s ../mods-available/ssl.conf ssl.conf
Edit Apache's default SSL configuration file:
cd /etc/apache2/sites-available sudo vim default-ssl
Change the following line:
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
To:
SSLCertificateFile /etc/apache2/ssl/server.crt
And this line:
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
To:
SSLCertificateKeyFile /etc/apache2/ssl/server.key
Using the Password-Protected Server Key
If you want to use the password-protected server key instead, change the last line you modified of the default SSL configuration file to the following:
SSLCertificateKeyFile /etc/apache2/ssl/server.key.secure
It's worth noting that if you use the password-protected server key, every time you restart/start Apache you will be prompted to enter its Pass Phrase.
Add symlink to SSL Configuration file in your sites-enabled directory:
cd /etc/apache2/sites-enabled sudo ln -s ../sites-available/default-ssl 000-default-ssl
Restart Apache:
sudo /etc/init.d/apache2 restart
Testing / Debugging
If things are working, you should be able to access the sites hosted on your server with secure HTTP. If you are on your local machine, try the following:
If you are using Chrome, you should be presented with a screen that says, "The site's security certificate is not trusted!" Just hit the "Process anyway" button and you'll be able to access your site with the new Self-Signed SSL Certificate. If you are getting the "SSL connection error" page, that means something is not configured properly. Here are some possible issues that could be preventing your SSL configuration from working properly:
The SSL Configuration file is not being included
How you go about checking this will vary, depending upon your Apache installation. Check Apache's primary configuration file, and make sure the default SSL configuration file is being included.
Something besides Apache could be listening to port 443
If you are working on your personal computer, the culprit is probably a messaging client such as Skype. Otherwise, it might be another web server installed on the machine. To find out quickly whether or not port 443 is being listened to by something besides Apache, you must first stop Apache:
sudo /etc/init.d/apache2 stopThen use the following command to view what's going on with the computer's ports:
netstat -antp
