Quick guide to getting a self signed certificate configured for Apache on Ubuntu 16.04.
All credits go to Justin Ellingwood. There is a link to his article at the bottom of this page. This is just a quick summery of what needs to be done to get SSL working, based on his article.
I do not recommend using self-signed certificates in production, as it does not provide any security what so ever! Deploy a signed certificate from your internal 2-Tier PKI infrastructure. If you do not have an internal PKI infrastructure, your need to get one!
Why do I provide a guide to getting a self-signed certificate then? Well good question. It would be better to provide a guide to getting a signed certificate, but there are many types of PKI infrastructure, and nothing about certificates are easy. The commands and procedures you need to perform to create your certificate request, and the config files you need to alter are more or less the same, and the rest you can easily google you way to.
The purpose of these blog post is not to help you with certificates, but to help you get started with automation, and this is a necessary piece of the puzzle.
First you need to generate a private key, and a certificate to go with it. (Your private key is personal, and should be protected, and not sent to anyone)
# Commands: # Generate key and certificate openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/ssl/private/apache-selfsigned.key -out /etc/ssl/certs/apache-selfsigned.crt # Improve your encryption by creating a strong DH Group, and enable Perfect Forward Secrecy openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
Fill in your relevant data for the certificate. Common Name is important and should be the servers FQDN.
create the file: /etc/apache2/conf-available/ssl-params.conf to enable SSL, and tighten security.
#/etc/apache2/conf-available/ssl-params.conf SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH SSLProtocol All -SSLv2 -SSLv3 SSLHonorCipherOrder On # Disable preloading HSTS for now. You can use the commented out header line that includes # the "preload" directive if you understand the implications. #Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains" Header always set X-Frame-Options DENY Header always set X-Content-Type-Options nosniff # Requires Apache >= 2.4 SSLCompression off SSLSessionTickets Off SSLUseStapling on SSLStaplingCache "shmcb:logs/stapling-cache(150000)" SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem"
Now edit you default ssl site configurations file /etc/apache2/sites-available/default-ssl.conf
Change this: (/etc/apache2/sites-available/default-ssl.conf)
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
To This: (/etc/apache2/sites-available/default-ssl.conf)
SSLCertificateFile /etc/ssl/certs/apache-selfsigned.crt SSLCertificateKeyFile /etc/ssl/private/apache-selfsigned.key
And for compatibility, uncomment this:
BrowserMatch "MSIE [2-6]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0
Add the Redirect line to your default site to redirect to SSL. Replace FQDN with the FQDN of your server
#/etc/apache2/sites-available/000-default.conf <VirtualHost> ... Redirect permanent "/" "https://FQDN/" ... </VirtualHost>
Enable Modules, and sites.
# Commands: a2enmod ssl a2enmod headers a2ensite default-ssl a2enconf ssl-params apache2ctl configtest service apache2 restart
And you should be done.
If you want to know more in detail about how to set this up, or something is not right, this is a good place to start: Ref: https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-apache-in-ubuntu-16-04