Enable SSL on Apache2 (Self-Signed)

Quick guide to getting a self signed certificate configured for Apache on Ubuntu 16.04.

All credits go to Justin Ellingwood. There is a link to his article at the bottom of this page. This is just a quick summery of what needs to be done to get SSL working, based on his article.

I do not recommend using self-signed certificates in production, as it does not provide any security what so ever! Deploy a signed certificate from your internal 2-Tier PKI infrastructure. If you do not have an internal PKI infrastructure, your need to get one!

Why do I provide a guide to getting a self-signed certificate then? Well good question. It would be better to provide a guide to getting a signed certificate, but there are many types of PKI infrastructure, and nothing about certificates are easy. The commands and procedures you need to perform to create your certificate request, and the config files you need to alter are more or less the same, and the rest you can easily google you way to.

The purpose of these blog post is not to help you with certificates, but to help you get started with automation, and this is a necessary piece of the puzzle.

First you need to generate a private key, and a certificate to go with it. (Your private key is personal, and should be protected, and not sent to anyone)

# Commands:

# Generate key and certificate
openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/ssl/private/apache-selfsigned.key -out /etc/ssl/certs/apache-selfsigned.crt

# Improve your encryption by creating a strong DH Group, and enable Perfect Forward Secrecy
openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

Fill in your relevant data for the certificate. Common Name is important and should be the servers FQDN.

create the file: /etc/apache2/conf-available/ssl-params.conf to enable SSL, and tighten security.

#/etc/apache2/conf-available/ssl-params.conf

SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
# Disable preloading HSTS for now.  You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
#Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
# Requires Apache >= 2.4
SSLCompression off 
SSLSessionTickets Off
SSLUseStapling on 
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"

SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem"

Now edit you default ssl site configurations file /etc/apache2/sites-available/default-ssl.conf

Change this: (/etc/apache2/sites-available/default-ssl.conf)

SSLCertificateFile      /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile  /etc/ssl/private/ssl-cert-snakeoil.key

To This: (/etc/apache2/sites-available/default-ssl.conf)

SSLCertificateFile      /etc/ssl/certs/apache-selfsigned.crt
SSLCertificateKeyFile  /etc/ssl/private/apache-selfsigned.key

And for compatibility, uncomment this:

BrowserMatch "MSIE [2-6]" \
			nokeepalive ssl-unclean-shutdown \
			downgrade-1.0 force-response-1.0

Add the Redirect line to your default site to redirect to SSL. Replace FQDN with the FQDN of your server

#/etc/apache2/sites-available/000-default.conf
<VirtualHost>
...
Redirect permanent "/" "https://FQDN/"
...
</VirtualHost>

Enable Modules, and sites.

# Commands:

a2enmod ssl
a2enmod headers
a2ensite default-ssl
a2enconf ssl-params
apache2ctl configtest
service apache2 restart

And you should be done.

If you want to know more in detail about how to set this up, or something is not right, this is a good place to start: Ref: https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-apache-in-ubuntu-16-04

3 thoughts on “Enable SSL on Apache2 (Self-Signed)”

Leave a Reply

Your email address will not be published. Required fields are marked *