Skip to content

Setting Up HTTPS on Apache Web Server and Ubuntu

October 6, 2011

This post was adopted from our Laboratory Exercise in class.

Generate a Certificate Signing Request

These instructions are adapted from the Ubuntu 10.04 Server Guide on Certificates. Please refer to that guide for explanations and other options.

1. Generate the keys for the Certificate Signing Request (CSR)

openssl genrsa -des3 -out server.key 1024

2. Create the insecure key.

openssl rsa -in server.key -out server.key.insecure
mv server.key server.key.secure
mv server.key.insecure server.key

3. Create the CSR.

openssl req -new -key server.key -out server.csr

Fill in the appropriate information.

Create a Self-Signed Certificate

1. Create the self-signed certificate

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

This creates server.crt

2. Install the self-signed certificate

sudo cp server.crt /etc/ssl/certs
sudo cp server.key /etc/ssl/private

Now you can configure applications with the ability to use public-key cryptography to use the certificate and key files.

Enable HTTPS

1. Enable ssl

sudo a2enmod ssl

2. Enable the default-ssl site.

sudo a2ensite default-ssl

3. Restart the server.

sudo service apache2 restart

Visit your web site using the URL https://localhost. Examine the SSL certificate presented by the server to the web browser. What details are listed?

Modify the default-ssl to point to your generated certificate

Change:

SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

to:

SSLCertificateFile /etc/ssl/certs/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key

Reexamine the certificates presented when you visit https://localhost. What information do you get now?

To Disable HTTPS

1. Disable ssl

sudo a2dismod ssl

EDIT: (January 27, 2012) 2. Enable the default-ssl site.

2. Disable the default-ssl site.

sudo a2dissite default-ssl

3. Restart the server.

sudo service apache2 restart

About these ads

From → Apache, Ubuntu

4 Comments
  1. kgee permalink

    This tutorial helped me a lot, along with a link I found over at stackoverflow: http://stackoverflow.com/questions/4294689/how-to-generate-a-key-with-passphrase-from-the-command-line

    One thing I noticed was that at some point the two guides seemed to reverse the role of the private/public keys, but this confusion was cleared up when I realized the SO link used the -pubout flag on the second step of key creation, where the default output (without the -pubout flag) generates the private key output such as you do here.

    The documentation I found that let me sort it all out was (gasp!) a subsection of the official openssl docs:
    http://www.openssl.org/docs/apps/rsa.html

    Anyway, thanks for the helpful tutorial, and I hope these links are useful to others along the way.

  2. Are you sure?:
    Enable the default-ssl site.
    sudo a2dissite default-ssl

    You should copy, as you say, and not move, when using SELinux, when you do:
    sudo cp server.crt /etc/ssl/certs
    sudo cp server.key /etc/ssl/private

    • yancy permalink

      For the first point, sorry, my bad. I have already updated the entry.

      For the second point, what do you mean? :)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: