How to Create a Self Signed Certificate for Apache

This article explains how to generate a self signed certificate for Apache web server.

What is SSL and SSL certificates

SSL is an essential part of creating a secure site. SSL certificates allow you encrypt all the traffic sent to and from your web site to prevent others from viewing all of the traffic.

It uses public key cryptography to establish a secure connection. This means that anything encrypted with a public key (the SSL certificate) can only be decrypted with the private key (stored only on the server) and vice versa.

A self signed certificate is a certificate that is signed by the person creating it rather than a trusted certificate authority.

Free self signed certificates can enable the same level of encryption as a certificate signed by a trusted authority.

When to Use and Not Use a Self Signed Certificate

Visitors will see a warning in their browsers when connecting to an Apache site that uses a self signed certificate until it is permanently stored in their certificate store.

An SSL certificate is signed by a trusted third-party, it verifies the identity of the server so clients know they aren’t sending their information (encrypted or not) to the wrong person. A self signed certificate is a certificate that is signed by itself rather than a trusted third party

You will almost never want to use a self signed certificate on a public server that requires anonymous visitors to connect to your site because they could easily become a victim of a man-in-the-middle attack.

But there are several scenarios when to use a self signed certificate:

* use on a development server when you develop and test your applications.

* use in intranet when clients only have to go through a local intranet to get to the server.

! IMPORTANT ! Never use a self signed certificate on an e-commerce site or any site that transfers valuable personal information (credit cards, SSN, etc.). Use trusted SSL certificates instead.

Generate Apache Self Signed Certificate

1. Make sure OpenSSL is installed.

Try running “openssl” on the command line to see if OpenSSL is already installed. If it is not, you will need to download a package or compile it from sources.

Once you have OpenSSL installed, run this command to create an Apache self signed certificate:

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout mysitename.key -out mysitename.crt

You will be prompted to enter your organizational information and a common name.

The common name should be the fully qualified domain name for the site you are securing (www.mydomain.com).

You can leave other fields blank.

After the command is finished running, it will create two files:mysitename.key, mysitename.crt.

Copy these files to some directory, for example, to /etc/ssl/crt/.

 

Configure Apache to use a Self Signed Certificate

Make sure mod_ssl is enabled:

sudo a2enmod ssl

Now we need to configure Apache virtual hosts to use the SSL certificate generated on the previous step.

Edit Apache configuration file (on Ubuntu server: /etc/httpd/httpd.conf).

Make a copy of the existing non-secure virtual host, paste it below, and change the port from port 80 to 443:

 

<VirtualHost *:443>
  DocumentRoot /var/www/mysite
  ServerName www.mydomain.com
 
  SSLEngine on
  SSLCertificateFile /etc/ssl/crt/mysitename.crt
  SSLCertificateKeyFile /etc/ssl/crt/mysitename.key
  SSLCertificateChainFile /etc/ssl/crt/mysitename.crt
</VirtualHost>

Change the names of the files and paths to match your certificate files.

Restart Apache:

sudo service apache2 restart

 

Open your web site in browser by typing https://mydomain.com.

You may see warning like “The site’s security certificate is not trusted! “. Just continue to use this certificate.