How to Create and Install Self Signed Certificate in Apache

This how-to guide will help you to step by step create and install Self Signed Certificate in Apache server on Linux systems.

Read more: How to Create and Install Self Signed Certificate in Apache
sudo apt-get install openssl          # Debian based systems
sudo yum install mod_ssl openssl      # Redhat / CentOS systems
sudo dnf install mod_ssl openssl      # Fedora 22+ systems

Step 2 – Create Self Signed Certificate (please change to your domain name 🙂
Now create SSL certificate. Change the name “apache” to your site name if you plan on multiple sites. Openssl will ask you for some info about your organization. You can leave most of this blank, but the one important thing you’ll need to fill out is the “Common Name,” which you’ll want to set to your server’s IP address or domain name.

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/apache.key -out /etc/ssl/certs/apache.crt

Output:

Generating a RSA private key
.............................+++++
......+++++
writing new private key to 'apache.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:TX
Locality Name (eg, city) []:Austin
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Apache
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:apache.com
Email Address []:user@localhost

We’ll also want to generate a Diffie-Hellman group. This is used for perfect forward secrecy, which generates ephemeral session keys to ensure that past communications cannot be decrypted if the session key is compromised.

sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096

Step 3 – Configure Apache to Use Your Self-Signed Certificate
Edit Apache SSL configuration file and edit/update as per following directives.

Add a snipit file.

sudo touch /etc/apache2/conf-available/ssl-params.conf

Add the following:

SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
SSLCompression off
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
SSLSessionTickets Off

SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem"

Apache VirtualHost Configuration

<VirtualHost *:80>;
    ServerName ipgw.io
    ServerAlias www.ipgw.io
    ServerAdmin webmaster@ipgw.io
    DocumentRoot /var/www/ipgw

    <Directory /var/www/ipgw>
        Options -Indexes +FollowSymLinks
        AllowOverride All
    </Directory>

    ErrorLog ${APACHE_LOG_DIR}/ipgw.io-error.log
    CustomLog ${APACHE_LOG_DIR}/ipgw.io-access.log combined
</VirtualHost>

<VirtualHost *:443>
    ServerAdmin rogerp@local
    ServerName www.ipgw.io
    ServerAlias ipgw.io
    DocumentRoot /var/www/ipgw
    SSLEngine on
    SSLCertificateFile /etc/pki/tls/certs/ipgw.io.crt
    SSLCertificateKeyFile /etc/pki/tls/certs/ipgw.io.key
</VirtualHost>

Step 4 – Test config, Enable SSL and Restart Apache

sudo a2enmod ssl
sudo apachectl configtest
sudo systemctl restart apache2       # Debian based systems

Step 5 – Test Website with HTTPS
Finally, open your site in your favorite web browser using https.

https://www.example.com
As we are using a self-signed certificate, you will get a warning message in your browser. You can simply ignore this message.

If you find this helpful, please donate.

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.