How to configure self-signed SSL/TLS certificates in Apache

The TLS protocol provides secure encryption for data transmitted over networks, replacing the older SSL standard. Encrypting communication on a web server is vital for protecting sensitive information, and Apache is a widely used platform that supports secure connections through TLS. Employing up-to-date methods for encryption helps defend against eavesdropping and unauthorized data access.

In controlled environments such as internal development or testing, a self-signed certificate can be a practical alternative to certificates issued by a Certificate Authority. This approach ensures encryption without external verification, though most browsers will display warnings because these certificates are not inherently trusted. Despite the warnings, a properly configured self-signed certificate still provides an encrypted channel suitable for environments where full CA validation is unnecessary.

Self-signed certificates are convenient for scenarios that require basic encryption yet do not involve public-facing services. They enable secure data transfer and reinforce good security practices within private networks. Although they lack widespread trust by default, these certificates can fulfill specific encryption needs where limited distribution and controlled usage are sufficient.

Steps to setup self-signed TLS certificate for Apache:

Open the terminal.
Create a directory to store your private key and certificate.
```
$ sudo mkdir -p /etc/apache2/ssl
```
Generate a private key and self-signed certificate with the OpenSSL command.
```
$ sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt
```
During the process, you'll be prompted to provide information for the certificate such as Country, State, and Common Name (domain name).

Enable mod_ssl.

$ sudo a2enmod ssl
Considering dependency setenvif for ssl:
Module setenvif already enabled
Considering dependency mime for ssl:
Module mime already enabled
Considering dependency socache_shmcb for ssl:
Enabling module socache_shmcb.
Enabling module ssl.
See /usr/share/doc/apache2/README.Debian.gz on how to configure SSL and create self-signed certificates.
To activate the new configuration, you need to run:
  systemctl restart apache2

Open the VirtualHost configuration that you want to implement SSL using your preferred text editor.
```
$ sudo vi /etc/apache2/sites-available/example.com.conf
```

Find and update the SSL-related directives in the configuration file with the correct paths.

<VirtualHost *:443>
  ServerName example.com
 
  SSLEngine on
  SSLCertificateFile /etc/apache2/ssl/apache.crt
  SSLCertificateKeyFile /etc/apache2/ssl/apache.key
</VirtualHost>

Enable the virtual host if you're using Ubuntu-based system and the site configuration is in the sites-available folder.
```
$ sudo a2ensite example.com
Enabling site example.com.
To activate the new configuration, you need to run:
  systemctl reload apache2
```
Make sure to backup any original configuration files before modifying them to avoid losing any previous settings. If everything is configured correctly, your site will be accessible via HTTPS using your self-signed certificate.

(Optional) Configure a redirect from HTTP to HTTPS to ensure that all traffic is encrypted.

<VirtualHost *:80>
  ServerName example.com
  Redirect permanent / https://example.com/
</VirtualHost>

Restart Apache to apply the changes.

$ sudo systemctl restart apache2 # Ubuntu, Debian, openSUSE and SLES
$ sudo systemctl restart httpd # CentOS and Red Hat

Access the site via HTTPS to verify it's working.

$ curl -kv https://example.com
*   Trying 127.0.0.1:443...
* Connected to example.com (127.0.0.1) port 443 (#0)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN: server accepted http/1.1
* Server certificate:
##### snipped

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.

Discuss the article:

Comment anonymously. Login not required.