Security

How to create a self-signed certificate to use on Apache2

Follow these steps to generate and install a self-signed certificate to be used on Apache2.

Image: Jack Wallen

If you want to enable certain internal services such as internal authentication or registration and you don't want to spend the money on a signed certificate for Apache2, you can generate your own. Although it is never recommended to use a self-signed certificate for a server used by the public, your internal network is a different thing as long as your server and network are both secured. If that fits your bill, you'll need to know how to generate a self-signed certificate to be used by Apache.

Disclaimer: Only use self-signed certificates for testing purposes or for internal services; never use a self-signed certificate for a front-facing, public service.

I'll demonstrate how to generate this certificate on Ubuntu 16.04, but this process will work on just about any Linux distribution that uses Apache2. Note: These steps are designed to work only with Apache2 and will not work on Apache (such as what's shipped with CentOS). This is done strictly through the command line.

The commands to generate the certificate

First, you generate a private key with the following command:

openssl genrsa -des3 -out server.key 1024

You'll be asked to enter a password for the key and verify the password (ensure the password is strong and do not forget it). Now, generate the Certificate Signing Request with the command:

openssl req -new -key server.key -out server.csr

At this point, you'll be asked a number of self-explanatory questions (Country, State, City, etc.).

The key we generated has a password that has to be removed. If you do not remove this password, Apache will not be able to start without prompting for said password to be entered. If you are 100% certain you will always be there to enter the password (when either the server or Apache is restarted), and you'd rather keep the additional security, you can skip this step. Understand, however, if the server or Apache does restart and you (or someone on your staff) isn't there to enter the password when prompted, Apache will not be able to start and the service will remain unavailable.

SEE: Power checklist: Vetting employees for security sensitive operations (Tech Pro Research)

To remove the password, issue the following two commands:

cp server.key server.key.orgopenssl rsa -in server.key.org -out server.key

Now it's time to generate the certificate. Use the command:

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

The above command will generate a certificate that is valid for 365 days. You'll have to remember to generate a new certificate in one year.

When running the above command, you may wind up receiving an error that says:

unable to write 'random state'

To fix this, check to see if there's a .rnd file on the working directory; if so, it is probably owned by root. Rename that file with the command sudo mv .rnd rnd and then the command to generate the certificate will work.

The final step is to move the necessary files. The following commands will do the trick:

sudo mkdir /etc/apache2/ssl

sudo cp server.crt /etc/apache2/ssl/server.crt

sudo cp server.key /etc/apache2/ssl/server.key

Configure Apache2 to use the certificates

You must ensure that Apache2 is using mod_ssl.so. To do this, issue the command:

sudo a2enmod ssl

You will be asked to restart Apache. Issue the command sudo service apache2 restart.

Now we must create a symbolic link for the default-ssl file with this command (which is one line):

sudo ln -s /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-enabled/000-default-ssl.conf

The next step is to edit the 000-default-ssl.conf file we just created. Open the file with the command sudo nano /etc/apache2/sites-enabled/000-default-ssl.conf. Look for the following lines:

SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem

SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

And change them to:

SSLCertificateFile /etc/apache2/ssl/server.crt

SSLCertificateKeyFile /etc/apache2/ssl/server.key

Restart Apache, and you're ready to test if the keys are enabled. To do this, open a browser and point it to https://localhost (or the DOMAIN/IP of your server). You should immediately be greeted by a Connection is not secure error; this happens because your browser will report that Apache is using a self-signed certificate. It is okay to add an exception for your browser so the certificate will be accepted.

Congratulations! You've just added a self-signed certificate for Apache2. Remember that in one year that key will no longer be valid, so you'll have to walk through this again.

Also see

About Jack Wallen

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website jackwallen.com.

Editor's Picks

Free Newsletters, In your Inbox