Ubuntu 14.04 – SSL Certificate on Apache2

TLS, or transport layer security, and its predecessor SSL, secure sockets layer, are secure protocols created in order to place normal traffic in a protected, encrypted wrapper.

These protocols allow traffic to be sent safely between remote parties without the possibility of the traffic being intercepted and read by someone in the middle. They are also instrumental in validating the identity of domains and servers throughout the internet by establishing a server as trusted and genuine by a certificate authority.

Create a self-signed SSL certificate for Apache on an Ubuntu 14.04 server

Activate the SSL Module

SSL support actually comes standard in the Ubuntu 14.04 Apache package.

Enable the module by typing:

sudo a2enmod ssl

After you have enabled SSL, restart the web server:

sudo service apache2 restart

Create a Self-Signed SSL Certificate

Create a subdirectory to place the certificate files:

sudo mkdir /etc/apache2/ssl

Now that we have a location to place our key and certificate, we can create them both in one step by typing:

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt

openssl: This is the basic command line tool provided by OpenSSL to create and manage certificates, keys, signing requests, etc.
req: This specifies a subcommand for X.509 certificate signing request (CSR) management. X.509 is a public key infrastructure standard that SSL adheres to for its key and certificate managment. Since we are wanting to create a new X.509 certificate, this is what we want.
-x509: This option specifies that we want to make a self-signed certificate file instead of generating a certificate request.
-nodes: This option tells OpenSSL that we do not wish to secure our key file with a passphrase. Having a password protected key file would get in the way of Apache starting automatically as we would have to enter the password every time the service restarts.
-days 365: This specifies that the certificate we are creating will be valid for one year.
-newkey rsa:2048: This option will create the certificate request and a new private key at the same time. This is necessary since we didn’t create a private key in advance. The rsa:2048 tells OpenSSL to generate an RSA key that is 2048 bits long.
-keyout: This parameter names the output file for the private key file that is being created.
-out: This option names the output file for the certificate that we are generating.

will be asked a number of questions:

Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:New York
Locality Name (eg, city) []:New York City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Your Company
Organizational Unit Name (eg, section) []:Department of Kittens
Common Name (e.g. server FQDN or YOUR name) []:your_domain.com
Email Address []:your_email@domain.com

The most important item that is requested is the line Common Name (e.g. server FQDN or YOUR name). Enter the domain name you want to associate with the certificate, or the server’s public IP address if you do not have a domain name.

The key and certificate will be created and placed in your /etc/apache2/ssl directory.

Configure Apache to Use SSL

Now that we have our certificate and key available, we can configure Apache to use these files in a virtual host file

Base this configuration on the default-ssl.conf file that contains some default SSL configuration.

sudo nano /etc/apache2/sites-available/default-ssl.conf

With the comments removed, the file looks something like this:

ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
<FilesMatch “\.(cgi|shtml|phtml|php)$”>
SSLOptions +StdEnvVars

SSLOptions +StdEnvVars

BrowserMatch “MSIE [2-6]” \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch “MSIE [17-9]” ssl-unclean-shutdown
Configure for a virtual host (ServerAdmin, ServerName, ServerAlias, DocumentRoot, etc.) and change the location where Apache2 looks for the SSL certificate and key.

The modified file:

ServerAdmin admin@iasptk.com
ServerName iasptk.com
ServerAlias www.iasptk.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.crt
SSLCertificateKeyFile /etc/apache2/ssl/apache.key
<FilesMatch “\.(cgi|shtml|phtml|php)$”>
SSLOptions +StdEnvVars

SSLOptions +StdEnvVars

BrowserMatch “MSIE [2-6]” \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch “MSIE [17-9]” ssl-unclean-shutdown

Save and exit

Activate the SSL Virtual Host

sudo a2ensite default-ssl.conf

Restart Apache2:

sudo service apache2 restart

This should enable the new virtual host, which will serve encrypted content using the SSL certificate created.

Test the https:// protocol in a browser

https://server_domain_name_or_IP

You will get a warning that your browser cannot verify the identity of your server because it has not been signed by one of the certificate authorities that it trusts.

This is since we have self-signed our certificate. Since this is expected, hit the -Proceed anyway- or similar option in your browser.

Your traffic is now encrypted!

Tags: , ,