Create Self-Signed SSL Certificates in Ubuntu for Apache

Create Self-Signed SSL Certificates in Ubuntu for Apache

Create Self-Signed SSL Certificates in Ubuntu for Apache

You will need to be able to create self-signed SSL certificates in order to host a secure website. I needed this for setting up a few externally accessible Cacti and Nagios servers in the past. Most recently I’ve actually needed to revisit some old notes on how to do this for writing up the previous post on ownCloud.

You will need to have Apache installed so go ahead and install that first:
root@owncloud01:~# apt-get install apache2

Enable the SSL module
root@owncloud01:~# a2enmod ssl

You will have to restart Apache
root@owncloud01:~# /etc/init.d/apache2 restart

Let’s make somewhere to store the certificates
root@owncloud01:~# mkdir /etc/apache2/ssl

Now we make the actual certificates:
root@owncloud01:~# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/self-signed.key -out /etc/apache2/ssl/self-signed.crt

So what does that long line mean?
openssl: Just the basic command line tool that is provided by OpenSSL to create and manage certificates, keys, etc.
req: PKCS#10 X.509 Certificate Signing Request (CSR) Management.
-x509: This specifies that we want to create a certificate and not a certificate request.
-nodes: We don’t want to secure the certificate with a passphrase. Password protecting it will cause problems for us.
-days 365: The certificate that we are creating will be valid for 365 days.
-newkey rsa:2048: This option will create the certificate request and a new private key. We need this because we didn’t create a private key in advance. rsa:2048 lets OpenSSL know that it needs to generate an RSA key that is 2048 bits long.
-keyout: This will give us the name of the private key being created. (self-signed.key)
-out: This is the certificate that is created (self-signed.crt)
You will be prompted for a few details after hitting enter.

Country Name (2 letter code) [AU]:ZA
State or Province Name (full name) [Some-State]:Western Province
Locality Name (eg, city) []:Cape Town
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Windohs
Organizational Unit Name (eg, section) []:Everything Department
Common Name (e.g. server FQDN or YOUR name) []:windohs.co.za
Email Address []:lyle@windohs.co.za

In order to configure Apache to use SSL we need to edit the config. Below is the config that I used when creating the ownCloud server.

<IfModule mod_ssl.c>
<VirtualHost _default_:443>
        ServerName owncloud01
        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/owncloud
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
        <Directory /var/www/owncloud>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride None
                Order allow,deny
                allow from all
        </Directory>
        ErrorLog ${APACHE_LOG_DIR}/error.log
        LogLevel warn
        CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
        SSLEngine on
        SSLCertificateFile    /etc/apache2/ssl/self-signed.crt
        SSLCertificateKeyFile /etc/apache2/ssl/self-signed.key
        <FilesMatch "\.(cgi|shtml|phtml|php)$"%gt;
                SSLOptions +StdEnvVars
        </FilesMatch>
        <Directory /usr/lib/cgi-bin>
                SSLOptions +StdEnvVars
        </Directory>
        BrowserMatch "MSIE [2-6]" \
                nokeepalive ssl-unclean-shutdown \
                downgrade-1.0 force-response-1.0
        BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
        &ltDirectory /var/www/owncloud&gt
                Options Indexes FollowSymLinks MultiViews
                AllowOverride All
                Order allow,deny
                Allow from all
                # add any possibly required additional directives here
                # e.g. the Satisfy directive (see below for details):
                Satisfy Any
        </Directory>
</VirtualHost>
</IfModule>

Enable the SSL-Enabled VHOST and restart Apache. In my case it would be:
root@owncloud01:~# a2ensite owncloud.conf
root@owncloud01:~# /etc/init.d/apache2 restart
Now you can test your site by browsing to the IP address or hostname and you should get a message pop up about the sites security certificate not being trusted.

One thought on “Create Self-Signed SSL Certificates in Ubuntu for Apache

  1. Pingback: Install ownCloud on Ubuntu 14.04 LTS

Leave a Reply

Your email address will not be published. Required fields are marked *