How To Create a Self-Signed SSL Certificate in Ubuntu 22.04
for Apache in Ubuntu 22.04 Published on April 25, 2022
By Erin Glass and Jamon Camisso

How To Create a Self-Signed SSL Certificate for Apache in Ubuntu 22.04


Introduction

TLS, or “transport layer security” — and its predecessor SSL — are
protocols used to wrap normal traffic in a protected, encrypted wrapper.
Using this technology, servers can safely send information to their clients
without their messages being intercepted or read by an outside party.

In this guide, you will create and use a self-signed TLS certificate with
the Apache web server on Ubuntu 22.04. You’ll use the openssl command
line
tool to create the certificate, and then you will configure Apache to use
it.

Note: 
A self-signed certificate will encrypt communication between your server
and
any clients. However, because it is not signed by any of the trusted
certificate authorities included with web browsers and operating systems,
users cannot use the certificate to validate the identity of your server
automatically. As a result, your users will see a security error when
visiting your site.

Because of this limitation, self-signed certificates are not appropriate
for
a production environment serving the public. They are typically used for
testing, or for securing non-critical services used by a single user or a
small group of users that can establish trust in the certificate’s
validity through alternate communication channels.

For a more production-ready certificate solution, check out Let’s
Encrypt,
a free certificate authority. You can learn how to download and configure a
Let’s Encrypt certificate in our How To Secure Apache with Let’s
Encrypt
on Ubuntu 22.04 tutorial.


Prerequisites


Before starting this tutorial, you’ll need the following:

Access to a Ubuntu 22.04 server with a non-root, sudo-enabled user. Our
Initial Server Setup with Ubuntu 22.04 guide can show you how to create
this
account.

You will also need to have Apache installed. You can install Apache using
apt. First, update the local package index to reflect the latest upstream
changes:

sudo apt update

Then, install the apache2 package:

sudo apt install apache2

And finally, if you have a ufw firewall set up, open up the http and https
ports:

sudo ufw allow "Apache Full"

After these steps are complete, be sure you are logged in as your non-root
user and continue with the tutorial.


Step 1 — Enabling mod_ssl


Before you can use any TLS certificates, you’ll need to first enable
mod_ssl, an Apache module that provides support for SSL encryption.

Enable mod_ssl with the a2enmod command:

sudo a2enmod ssl

Restart Apache to activate the module:

sudo systemctl restart apache2

The mod_ssl module is now enabled and ready for use.


Step 2 – Creating the TLS Certificate


Now that Apache is ready to use encryption, we can move on to generating a
new TLS certificate. The certificate will store some basic information
about
your site, and will be accompanied by a key file that allows the server to
securely handle encrypted data.

We can create the TLS key and certificate files with the openssl command:

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout 
/etc/ssl/private/apache-selfsigned.key -out /etc/ssl/certs/apache
-selfsigned.crt

After you enter the command, you will be taken to a prompt where you can
enter information about your website. Before we go over that, let’s take
a
look at what is happening in the command we are issuing:


openssl: This is the command line tool for creating and managing OpenSSL
certificates, keys, and other files.

req -x509: This specifies that we want to use X.509 certificate signing
request (CSR) management. X.509 is a public key infrastructure standard
that
TLS adheres to for key and certificate management.
-nodes: This tells OpenSSL to skip the option to secure our certificate
with a passphrase. We need Apache to be able to read the file, without user
intervention, when the server starts up. A passphrase would prevent this
from happening, since we would have to enter it after every restart.
-days 365: This option sets the length of time that the certificate will
be considered valid. We set it for one year here. Many modern browsers will
reject any certificates that are valid for longer than one year.
-newkey rsa:2048: This specifies that we want to generate a new
certificate and a new key at the same time. We did not create the key that
is required to sign the certificate in a previous step, so we need to
create
it along with the certificate. The rsa:2048 portion tells it to make an RSA
key that is 2048 bits long.
-keyout
: This line tells OpenSSL where to place the generated private key file
that
we are creating.
-out: This tells OpenSSL where to place the certificate that we are
creating.


Fill out the prompts appropriately. The most important line is the one that
requests the Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:Example
Locality Name (eg, city) [Default City]:Example 
Organization Name (eg, company) [Default Company Ltd]:Example Inc
Organizational Unit Name (eg, section) []:Example Dept
Common Name (eg, your name or your server's hostname) []:your_domain_or_ip
Email Address []:webmaster@example.com

Both of the files you created will be placed in the appropriate
subdirectories under /etc/ssl.

Next we will update our Apache configuration to use the new certificate and
key.


Step 3 – Configuring Apache to Use TLS


Now that we have our self-signed certificate and key available, we need to
update our Apache configuration to use them. On Ubuntu, you can place new
Apache configuration files (they must end in .conf) into /etc/apache2/sites
-available/and they will be loaded the next time the Apache process is
reloaded or restarted.

For this tutorial we will create a new minimal configuration file. (If you
already have an Apache  set up and just need to add TLS to it, 
you will likely need to copy over the configuration lines that start with
SSL, 
and switch the VirtualHost port from 80 to 443. We will take care of port
80
in
the next step.)

Open a new file in the /etc/apache2/sites-available directory:

    sudo nano /etc/apache2/sites-available/your_domain_or_ip.conf

Paste in the following minimal VirtualHost configuration:

/etc/apache2/sites-available/your_domain_or_ip.conf 

   ServerName your_domain_or_ip
   DocumentRoot /var/www/your_domain_or_ip

   SSLEngine on
   SSLCertificateFile /etc/ssl/certs/apache-selfsigned.crt
   SSLCertificateKeyFile /etc/ssl/private/apache-selfsigned.key


Be sure to update the ServerName line to however you intend to address your
server. This can be a hostname, full domain name, or an IP address. Make
sure whatever you choose matches the Common Name you chose when making the
certificate.

The remaining lines specify a DocumentRoot directory to serve files from,
and the TLS options needed to point Apache to our newly-created certificate
and key.

Now let’s create our DocumentRoot and put an HTML file in it just for
testing purposes:

    sudo mkdir /var/www/your_domain_or_ip

Open a new index.html file with your text editor:

    sudo nano /var/www/your_domain_or_ip/index.html

Paste the following into the blank file:
/var/www/your_domain_or_ip/index.html

it worked!

This is not a full HTML file, of course, but browsers are lenient and it
will be enough to verify our configuration.

Save and close the file Next, we need to enable the configuration file with
the a2ensite tool:

    sudo a2ensite your_domain_or_ip.conf

Next, let’s test for configuration errors:

    sudo apache2ctl configtest

If everything is successful, you will get a result that looks like this:

Output
AH00558: apache2: Could not reliably determine the server's fully qualified
domain name, using 127.0.1.1. Set the 'ServerName' directive globally to
suppress this message
Syntax OK

The first line is a message telling you that the ServerName directive is
not
set globally. If you want to get rid of that message, you can set
ServerName
to your server’s domain name or IP address in /etc/apache2/apache2.conf.
This is optional as the message will do no harm.

If your output has Syntax OK in it, your configuration file has no syntax
errors. We can safely reload Apache to implement our changes:

    sudo systemctl reload apache2

Now load your site in a browser, being sure to use https:// at the
beginning.

You should see an error. This is normal for a self-signed certificate! The
browser is warning you that it can’t verify the identity of the server,
because our certificate is not signed by any of its known certificate
authorities. For testing purposes and personal use this can be fine. You
should be able to click through to advanced or more information and choose
to proceed.

After you do so, your browser will load the it worked! message.

Note: if your browser doesn’t connect at all to the server, make sure
your
connection isn’t being blocked by a firewall. If you are using ufw, the
following commands will open ports 80 and 443:

     sudo ufw allow "Apache Full"

Next we will add another VirtualHost section to our configuration to serve
plain HTTP requests and redirect them to HTTPS.
Step 4 — Redirecting HTTP to HTTPS

Currently, our configuration will only respond to HTTPS requests on port
443. It is good practice to also respond on port 80, even if you want to
force all traffic to be encrypted. Let’s set up a VirtualHost to respond
to these unencrypted requests and redirect them to HTTPS.

Open the same Apache configuration file we started in previous steps:

    sudo nano /etc/apache2/sites-available/your_domain_or_ip.conf

At the bottom, create another VirtualHost block to match requests on port
80. Use the ServerName directive to again match your domain name or IP
address. Then, use Redirect to match any requests and send them to the TLS
VirtualHost. Make sure to include the trailing slash:
/etc/apache2/sites-available/your_domain_or_ip.conf


    ServerName your_domain_or_ip
    Redirect / https://your_domain_or_ip/


Save and close this file when you are finished, then test your
configuration
syntax again, and reload Apache:

    sudo apachectl configtest
    sudo systemctl reload apache2

You can test the new redirect functionality by visiting your site with
plain
http:// in front of the address. You should be redirected to https://
automatically.
Conclusion

You have now configured Apache to serve encrypted requests using a self
-signed TLS certificate, and to redirect unencrypted HTTP requests to
HTTPS.

If you are planning on using TLS for a public website, you should look into
purchasing a domain name and using a widely supported certificate authority
such as Let’s Encrypt.

For more information on using Let’s Encrypt with Apache, please read our
How To Secure Apache with Let’s Encrypt on Ubuntu 22.04 tutorial.