Linux: Self-signed certificate for Apache SSL

By: Axel Knauf

Posted: January 12, 2016

This article details how to generate an SSL certificate in order to encrypt traffic on an Aache hosted site using HTTPS. The certificate will be self-signed, meaning browsers will still show a warning message when accessing the page.

This setup is not secure and all code is given as examples only. It is intended for development purposes only. If you want to run your site encrypted with a real certificate, you may want to take a look at Let's Encrypt.

Assumptions

This guide refers to Apache 2.2 using OpenSSL to generate the certificate - the same can be achieved for later versions of Apache or even using OpenSSL on Cygwin on Windows.

Apache 2.2 with mod_ssl support
OpenSSL already installed (sudo apt-get install openssl)
Editor and browser for testing and configuration

I am assuming that you are using the domaim "www.example.com" for your virtual host. This becomes relevant for the "Common Name" (CN) in the certificate signing request (CSR) below. Please adust this where needed.

How to create a new certificate

On all prompts you can easily press return to use the default setting, unless I am giving other instructions.

These steps are necessary:

Create folder and Certification Authority (CA)

I am using a subfolder inside Apaches conf folder which allows easy configuration from httpd.conf.

    $ cd $APACHE_HOME/conf
    $ mkdir certs
    $ cd certs
    $ /usr/ssl/misc/CA.pl -newca

Passphrase: "example"

Common name: "my-example-ca"

Create server key

    $ openssl genrsa -des3 -out www.example.com.pem 2048

Passphrase: "example"

Create Certificate Signing Request (CSR)

Using the newly generated server key above.

    $ openssl req -new -key www.example.com.pem -out www.example.com.csr

Common Name "www.example.com", it must match the domain name of your virtual host!

Create signed certificate using CA and CSR

    $ openssl ca -in www.example.com.csr -out www.example.com-cert.pem

Remove passphrase from server key

Since Apache does not support passphrases for server keys (on Windows at least), we have to remove any passphrase used above.

    $ openssl rsa -in www.example.com.pem -out www.example.com-nopassphrase.pem

Configure Apache

Edit `httpd.conf`

Uncomment "LoadModule ssl_module" directive
Uncomment include for httpd-ssl.conf

Edit `extra/httpd-ssl.conf`

General settings

        Listen 443
        AddType application/x-x509-ca-cert .crt
        AddType application/x-pkcs7-crl    .crl
        SSLPassPhraseDialog  builtin
        SSLSessionCache        "shmcb:/path/to/apache/logs/ssl_scache(512000)"
        SSLSessionCacheTimeout  300
        SSLMutex default

You will have to adjust the path to your Apache installation.

Create VirtualHost for SSL

        NameVirtualHost www.example.com:443
        <VirtualHost www.example.com:443>

           ServerName www.example.com:443
           ServerAdmin root@localhost

           [..]

           SSLEngine on
           SSLProxyEngine On
           SSLProtocol all -SSLv2
           SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
           SSLCertificateFile "/path/to/apache/conf/certs/www.example.com-cert.pem"
           SSLCertificateKeyFile "/path/to/apache/conf/certs/www.example.com-nopassphrase.pem"

           [..]

        </VirtualHost>

You have to adjust the paths for the Apache installation and both "SSLCertificateFile" and "SSLCertificateKeyFile". In addition, you have to adjust the hostname, of course.

Restart Apache

Then, try https://www.example.com/

Renew an existing certificate

If the certifcate expired (usually it is valid for a single year), it can be renewed using the following steps. We are using the same tools as above, and the examples assume you are in the "certs" folder of your Apache configuration.

Remove old certifcate from store

Find out the ID of the current certifcate, it is part of demoCA/index.txt with your Common Name (above: "www.example.com"):

    $ less demoCA/index.txt
    V       171207033254Z           CC61BF56E46A51BE        unknown /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=my-example-ca
    V       151208033429Z           CC61BF56E46A51BF        unknown /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=www.example.com    <--------------

In this case it is the second one, the common name is at the very end and we note the ID "CC61BF56E46A51BF" (third column). There if a file with this ID as name in the newcerts folder:

    $ ls -l demoCA/newcerts
    ..
    -rw-r--r-- 1 user group 2999  8. Dez 2014  CC61BF56E46A51BE.pem
    -rw-r--r-- 1 user group 3891  8. Dez 2014  CC61BF56E46A51BF.pem   <------------

When we have the file, we can revoke the certifcate using the passphrase from above:

    $ openssl ca -revoke demoCA/newcerts/CC61BF56E46A51BF.pem
    Using configuration from /usr/ssl/openssl.cnf
    Enter pass phrase for ./demoCA/private/cakey.pem:
    Revoking Certificate CC61BF56E46A51BF.
    Data Base Updated

Create a new certificate

Afterwards a new one can be generated using the existing CSR from the initial creation. If you do not have this file anymore, you can follow the steps above to create a new one.

    $ openssl ca -in www.example.com.csr -out www.example.com-cert.pem

If you want to use this new certificate in Apache, you will have to remove the passphrase again. Afterwards, place the new certificate file in the Apache config folder and restart the server.

Links and Documentation

Official Apache 2.2 SSL docs: http://httpd.apache.org/docs/2.2/en/ssl/
Let's Encrypt open CA: https://letsencrypt.org/
OpenSSL 1.0.2 man page: https://www.openssl.org/docs/man1.0.2/apps/openssl.html