How to Generate a Self-Signed SSL Certificate in Ubuntu

Sometimes you don’t need a commercial SSL certificate for your website. Maybe you run a home server, or perhaps want some added security for your small business intranet. A self-signed SSL certificate is perfect for low traffic or non-mission-critical services. It’s free, easy, and can be used just like a commercial SSL cert. Use the instructions below to generate your own SSL certificate for an Ubuntu server.

  1. Create a self-signed certificate:
    openssl genrsa -des3 -out server.key 4096
    openssl req -new -key server.key -out server.csr
    openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
    openssl rsa -in server.key -out server.key.insecure
    mv server.key server.key.secure
    mv server.key.insecure server.key
  2. Copy the server.crt and server.key files into position:
    cp server.key /etc/apache2/ssl
    cp server.crt /etc/apache2/ssl
  3. Enable ssl:
    a2enmod ssl
  4. Create a stub SSL conf. file (if needed) and establish a necessary symlink: NOTE. Ubuntu 10.04 already ships with a stub SSL conf file (/etc/apache2/sites-available/default-ssl), so you won’t need to copy the ‘default’ conf as a stub for the ‘default-ssl’ conf — but you will STILL need a symlink between it and the sites-enabled directory.So if using an Ubuntu prior to ~10.04:
    cp /etc/apache2/sites-available/default /etc/apache2/sites-available/default-ssl

    For all versions of Ubuntu:
    ln -s /etc/apache2/sites-available/default-ssl /etc/apache2/sites-enabled/000-default-ssl

  5. Set up all the document roots:
    cd /var/www
    mkdir html
    cd /var
    mkdir www-ssl
    cd www-ssl
    mkdir html
  6. Configure virtual hosts:
    sudo su
    cd /etc/apache2/sites-available
    cp /etc/apache2/sites-available/default default_original(Note: If using Ubuntu 10.04+ you may want to backup the original SSL conf also): cp /etc/apache2/sites-available/default-ssl default-ssl_original

    To configure HTTP over port 80 (edit /etc/apache2/sites-available/default):

    NameVirtualHost *:80
    (Note: Look down just a bit and make a change to the virtual host settings.)
    <VirtualHost *:80>
    ServerName localhost
    DocumentRoot /var/www/html/
    (Note: Use your assigned IP or DNS name followed with “:80” if you have one for ServerName).

    Similar procedure for HTTPS over port 443 (edit /etc/apache2/sites-available/default-ssl):

    NameVirtualHost *:443
    (Note: Look down just a bit and make a change to the virtual host settings.)
    <VirtualHost *:443>
    ServerName localhost
    DocumentRoot /var/www-ssl/html/
    (Note: Again, use your assigned IP or a DNS name followed with “:443” if you have one for ServerName.)

  7. Instruct Apache to listen to 443:
    Go to this file /etc/apache2/ports.conf and add the following to it:
    Listen 443
  8. Turn on the SSL engine:
    SSLEngine On
    SSLCertificateFile /etc/apache2/ssl/server.crt
    SSLCertificateKeyFile /etc/apache2/ssl/server.key
  9. Restart Apache:
    cd /etc/init.d/apache2 restart