If you want to enable certain internal services such as internal authentication or registration and you don’t want to spend the money on a signed certificate for Apache2, you can generate your own. Although it is never recommended to use a self-signed certificate for a server used by the public, your internal network is a different thing as long as your server and network are both secured. If that fits your bill, you’ll need to know how to generate a self-signed certificate to be used by Apache.
Disclaimer: Only use self-signed certificates for testing purposes or for internal services; never use a self-signed certificate for a front-facing, public service.
I’ll demonstrate how to generate this certificate on Ubuntu 16.04, but this process will work on just about any Linux distribution that uses Apache2. Note: These steps are designed to work only with Apache2 and will not work on Apache (such as what’s shipped with CentOS). This is done strictly through the command line.
The commands to generate the certificate
First, you generate a private key with the following command:
openssl genrsa -des3 -out server.key 1024
You’ll be asked to enter a password for the key and verify the password (ensure the password is strong and do not forget it). Now, generate the Certificate Signing Request with the command:
openssl req -new -key server.key -out server.csr
At this point, you’ll be asked a number of self-explanatory questions (Country, State, City, etc.).
The key we generated has a password that has to be removed. If you do not remove this password, Apache will not be able to start without prompting for said password to be entered. If you are 100% certain you will always be there to enter the password (when either the server or Apache is restarted), and you’d rather keep the additional security, you can skip this step. Understand, however, if the server or Apache does restart and you (or someone on your staff) isn’t there to enter the password when prompted, Apache will not be able to start and the service will remain unavailable.
SEE: Power checklist: Vetting employees for security sensitive operations (Tech Pro Research)
To remove the password, issue the following two commands:
cp server.key server.key.org
openssl rsa -in server.key.org -out server.key
Now it’s time to generate the certificate. Use the command:
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
The above command will generate a certificate that is valid for 365 days. You’ll have to remember to generate a new certificate in one year.
When running the above command, you may wind up receiving an error that says:
unable to write ‘random state’
To fix this, check to see if there’s a .rnd file on the working directory; if so, it is probably owned by root. Rename that file with the command sudo mv .rnd rnd and then the command to generate the certificate will work.
The final step is to move the necessary files. The following commands will do the trick:
sudo mkdir /etc/apache2/ssl
sudo cp server.crt /etc/apache2/ssl/server.crt
sudo cp server.key /etc/apache2/ssl/server.key
Configure Apache2 to use the certificates
You must ensure that Apache2 is using mod_ssl.so. To do this, issue the command:
sudo a2enmod ssl
You will be asked to restart Apache. Issue the command sudo service apache2 restart.
Now we must create a symbolic link for the default-ssl file with this command (which is one line):
sudo ln -s /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-enabled/000-default-ssl.conf
The next step is to edit the 000-default-ssl.conf file we just created. Open the file with the command sudo nano /etc/apache2/sites-enabled/000-default-ssl.conf. Look for the following lines:
And change them to:
Restart Apache, and you’re ready to test if the keys are enabled. To do this, open a browser and point it to https://localhost (or the DOMAIN/IP of your server). You should immediately be greeted by a Connection is not secure error; this happens because your browser will report that Apache is using a self-signed certificate. It is okay to add an exception for your browser so the certificate will be accepted.
Congratulations! You’ve just added a self-signed certificate for Apache2. Remember that in one year that key will no longer be valid, so you’ll have to walk through this again.