Nov 25, 2019 9:00 AM Apr 24, 2020 2:40 PM

Adding a self-signed SSL certificate to Apache on Debian/Ubuntu

In this article I will explain how to add a self-signed SSL certificate to the Apache server on the Debian/Ubuntu operating system. A self-signed certificate is a certificate created and signed by the same person. This certificate is not signed by a certification authority and is used only for testing on a local server.

You can also add a trusted SSL certificate for the local environment in Apache on Debian/Ubuntu (using root CA). If this instruction seems complicated to you, try a simpler article on how to add a trusted self-signed SSL certificate to Apache on Debian/Ubuntu, but this solution does not always work.

This instruction was executed on operating systems: Debian 10, Debian 9, Ubuntu 20.10, Ubuntu 20.04, Ubuntu 19.10.

Creating a self-signed SSL certificate

The OpenSSL cryptographic library is often used to create SSL certificates. The openssl package should be in the distribution, but if for some reason it is not there, then let's install it.

Before any software installation, it is recommended to update the list of repository packages by running the command in the terminal:

sudo apt-get update

Install OpenSSL by running the command in the terminal:

sudo apt-get install openssl

Now let's create a self-signed SSL certificate with a private key by running the command in the terminal:

sudo openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/ssl/private/localhost.key -out /etc/ssl/certs/localhost.crt

where

In the process of generating the certificate, several questions will be asked. You can skip them:

Creating a self-signed SSL certificate

Configuring Apache to use SSL

Let's enable SSL in the Apache server configuration. We will specify listening on port 443 (HTTPS) and the path to the certificate and private key files. Edit the server configuration file /etc/apache2/sites-available/default-ssl.conf:

sudo nano /etc/apache2/sites-available/default-ssl.conf
<IfModule mod_ssl.c>
	<VirtualHost _default_:443>
		ServerAdmin webmaster@localhost

		DocumentRoot /var/www/html

		ErrorLog ${APACHE_LOG_DIR}/error.log
		CustomLog ${APACHE_LOG_DIR}/access.log combined

		SSLEngine on
		SSLCertificateFile	/etc/ssl/certs/localhost.crt
		SSLCertificateKeyFile /etc/ssl/private/localhost.key

		<FilesMatch "\.(cgi|shtml|phtml|php)$">
			SSLOptions +StdEnvVars
		</FilesMatch>
		<Directory /usr/lib/cgi-bin>
			SSLOptions +StdEnvVars
		</Directory>
	</VirtualHost>
</IfModule>

Save the changes and close the file.

You must activate the mod_ssl module by running the command in the terminal:

sudo a2enmod ssl

Do not forget to activate the configuration file by running the command in the terminal:

sudo a2ensite default-ssl

Check the configuration for validity by running the command in the terminal:

sudo apache2 -t

Now apply the configuration changes by running the command in the terminal:

sudo service apache2 reload

Encryption testing

Let's check that our Apache server is accessible via the HTTPS protocol by entering the following address in the browser:

https://localhost

Since the certificate we created was not signed by one of the trusted certification authorities of your browser, you will most likely see a warning that your connection is not secure:

Your connection is not secure

Do not worry, this is normal. Just add an exception in the browser:

Add exception for self-signed certificate

Confirm security exception

Your connection will now be encrypted using the HTTPS protocol. However, a message will still be displayed stating that the connection is not secure — this simply means that the certificate cannot be verified by a trusted certificate authority:

Apache welcome page with SSL

Other articles