How to generate self signed certificates for Apache2

In this tutorial we will create and use a self signed certificate in Apache2.
A self signed certificate as the name suggests is emitted and signed by the same entity. Technically we will sign the certificate with our own private key.

Self signed certificates should be used only internally, as you see in the image below, browsers will flag the website as not secure, because the certificate is not signed by a trusted authority.

This tutorial was tested on Debian 9.6, root privileges are required.

1. Create cert in the apache2 configuration directory

mkdir /etc/apache2/cert

2. Create the private key and sign the certificate, valid for 365 days.
You will be asked to enter information that will be incorporated into your certificate.

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/cert/default-self.key -out /etc/apache2/cert/default-self.crt

3. Enable the ssl module for Apache2

a2enmod ssl

4. Edit /etc/apache2/sites-enabled/default-ssl.conf with the following configuration, in my example I use 192.168.255.1 as ServerAlias.

NameVirtualHost *:443
<VirtualHost *:443>
DocumentRoot /var/www/html/
<Directory /var/www/html>
        Options Indexes FollowSymLinks MultiViews
        AllowOverride All
</Directory>
ServerName 192.168.255.1
ServerAlias 192.168.255.1
ErrorLog ${APACHE_LOG_DIR}/error_ssl.log
CustomLog ${APACHE_LOG_DIR}/access_ssl.log combined
SSLEngine on
SSLCertificateKeyFile /etc/apache2/cert/default-self.key
SSLCertificateFile /etc/apache2/cert/default-self.crt
</VirtualHost>

4. Enable default-ssl site

a2ensite default-ssl

5. Reload Apache2

systemctl reload apache2

6. Check the certificate

echo | openssl s_client -servername 192.168.255.1 -connect 192.168.255.1:443 2> /dev/null | openssl x509 -text

Leave a Reply

Your email address will not be published. Required fields are marked *