TLS (Transport Layer Security) and SSL (Secure Sockets Layer) are protocols used to secure communication between web servers and clients. While SSL is outdated, TLS is the current standard for encrypted data transfer. Configuring these protocols on an Apache server is essential to protect sensitive information.

In certain cases, such as internal testing or development environments, using a self-signed certificate may be more practical than acquiring one from a Certificate Authority. A self-signed certificate enables encryption without the need for external verification. However, such certificates may trigger browser warnings as they are not inherently trusted.

Despite this limitation, self-signed certificates are useful in situations where security is needed but full CA validation is unnecessary. Proper configuration in Apache ensures that encrypted communication is established, even if the certificate's trust level is limited to specific environments.

Steps to setup self-signed TLS certificate for Apache:

  1. Open the terminal.
  2. Create a directory to store your private key and certificate.
    $ sudo mkdir -p /etc/apache2/ssl
  3. Generate a private key and self-signed certificate with the OpenSSL command.
    $ sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt

    During the process, you'll be prompted to provide information for the certificate such as Country, State, and Common Name (domain name).

  4. Enable mod_ssl.
    $ sudo a2enmod ssl
    Considering dependency setenvif for ssl:
    Module setenvif already enabled
    Considering dependency mime for ssl:
    Module mime already enabled
    Considering dependency socache_shmcb for ssl:
    Enabling module socache_shmcb.
    Enabling module ssl.
    See /usr/share/doc/apache2/README.Debian.gz on how to configure SSL and create self-signed certificates.
    To activate the new configuration, you need to run:
      systemctl restart apache2
  5. Open the VirtualHost configuration that you want to implement SSL using your preferred text editor.
    $ sudo vi /etc/apache2/sites-available/example.com.conf
  6. Find and update the SSL-related directives in the configuration file with the correct paths.
    <VirtualHost *:443>
      ServerName example.com
     
      SSLEngine on
      SSLCertificateFile /etc/apache2/ssl/apache.crt
      SSLCertificateKeyFile /etc/apache2/ssl/apache.key
    </VirtualHost>
  7. Enable the virtual host if you're using Ubuntu-based system and the site configuration is in the sites-available folder.
    $ sudo a2ensite example.com
    Enabling site example.com.
    To activate the new configuration, you need to run:
      systemctl reload apache2

    Make sure to backup any original configuration files before modifying them to avoid losing any previous settings. If everything is configured correctly, your site will be accessible via HTTPS using your self-signed certificate.

  8. (Optional) Configure a redirect from HTTP to HTTPS to ensure that all traffic is encrypted.
    <VirtualHost *:80>
      ServerName example.com
      Redirect permanent / https://example.com/
    </VirtualHost>
  9. Restart Apache to apply the changes.
    $ sudo systemctl restart apache2 # Ubuntu, Debian, openSUSE and SLES
    $ sudo systemctl restart httpd # CentOS and Red Hat
  10. Access the site via HTTPS to verify it's working.
    $ curl -kv https://example.com
    *   Trying 127.0.0.1:443...
    * Connected to example.com (127.0.0.1) port 443 (#0)
    * ALPN: offers h2,http/1.1
    * TLSv1.3 (OUT), TLS handshake, Client hello (1):
    * TLSv1.3 (IN), TLS handshake, Server hello (2):
    * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
    * TLSv1.3 (IN), TLS handshake, Certificate (11):
    * TLSv1.3 (IN), TLS handshake, CERT verify (15):
    * TLSv1.3 (IN), TLS handshake, Finished (20):
    * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
    * TLSv1.3 (OUT), TLS handshake, Finished (20):
    * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
    * ALPN: server accepted http/1.1
    * Server certificate:
    ##### snipped
Discuss the article:

Comment anonymously. Login not required.