Sometimes you don’t need a commercial SSL certificate for your website. Maybe you run a home server, or perhaps want some added security for your small business intranet. A self-signed SSL certificate is perfect for low traffic or non-mission-critical services. It’s free, easy, and can be used just like a commercial SSL cert. Use the instructions below to generate your own SSL certificate for an Ubuntu server.
- Create a self-signed certificate:
openssl genrsa -des3 -out server.key 4096
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
openssl rsa -in server.key -out server.key.insecure
mv server.key server.key.secure
mv server.key.insecure server.key - Copy the server.crt and server.key files into position:
cp server.key /etc/apache2/ssl
cp server.crt /etc/apache2/ssl - Enable ssl:
a2enmod ssl - Create a stub SSL conf. file (if needed) and establish a necessary symlink: NOTE. Ubuntu 10.04 already ships with a stub SSL conf file (/etc/apache2/sites-available/default-ssl), so you won’t need to copy the ‘default’ conf as a stub for the ‘default-ssl’ conf — but you will STILL need a symlink between it and the sites-enabled directory.So if using an Ubuntu prior to ~10.04:
cp /etc/apache2/sites-available/default /etc/apache2/sites-available/default-sslFor all versions of Ubuntu:
ln -s /etc/apache2/sites-available/default-ssl /etc/apache2/sites-enabled/000-default-ssl - Set up all the document roots:
cd /var/www
mkdir html
cd /var
mkdir www-ssl
cd www-ssl
mkdir html - Configure virtual hosts:
sudo su
cd /etc/apache2/sites-available
cp /etc/apache2/sites-available/default default_original(Note: If using Ubuntu 10.04+ you may want to backup the original SSL conf also): cp /etc/apache2/sites-available/default-ssl default-ssl_originalTo configure HTTP over port 80 (edit /etc/apache2/sites-available/default):
NameVirtualHost *:80
(Note: Look down just a bit and make a change to the virtual host settings.)
<VirtualHost *:80>
ServerName localhost
DocumentRoot /var/www/html/
(Note: Use your assigned IP or DNS name followed with “:80” if you have one for ServerName).Similar procedure for HTTPS over port 443 (edit /etc/apache2/sites-available/default-ssl):
NameVirtualHost *:443
(Note: Look down just a bit and make a change to the virtual host settings.)
<VirtualHost *:443>
ServerName localhost
DocumentRoot /var/www-ssl/html/
(Note: Again, use your assigned IP or a DNS name followed with “:443” if you have one for ServerName.) - Instruct Apache to listen to 443:
Go to this file /etc/apache2/ports.conf and add the following to it:
Listen 443 - Turn on the SSL engine:
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/server.key - Restart Apache:
cd /etc/init.d/apache2 restart