SSL (Secure Sockets Layer) and TLS (Transport Layer Security) play a major role when it comes to securing your Apache web server running on Ubuntu 18.04 machine.
The technology is very useful in all websites and online applications where sensitive information is exchanged. For instance, any online shop that requires users to submit credit card information should have an SSL certificate installed.
You can purchase an SSL certificate from verified certifying authorities like Comodo or Namecheap. However, you can still use a self-signed certificate on your Ubuntu 18.04 server particularly if you access your server using an IP address only.
This forms the basis of this guide and we are going to show you how to install a self-signed SSL on your Ubuntu 18.04 VPS.
- An Ubuntu server running version 18.04
- Apache web server
- A non-root user that can perform sudo tasks
Step 1: Make sure your Apache web server is up and running
The first step is to make sure that Apache is installed and your website is running. To do this, type the public IP address of your Ubuntu 18.04 server on a web browser. You should see the below default Apache web page.
However, this might be different if you have already uploaded your website’s file.
Step 2: Create the SSL Certificate
SSL/TLS rely on a combination of public and private keys. While the private key portion of the SSL/TLS certificate is kept on the server, the public key is shared with all clients requesting information from your Ubuntu 18.04 server.
The private key encrypts data before it is sent to the client hence ensuring the security while the public key decrypts information from the server
So we need to create a self-signed private key and a certificate key pair. By default, Ubuntu 18.04 comes with OpenSSL – an open source implementation of the SSL and TLS protocol.
You can check the OpenSSL version number by typing the command below:
Creating the certificate and private key pair
We can create the certificate and private key pair using OpenSSL with just a single command listed below:
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/my.key -out /etc/ssl/certs/my.crt
You will be prompted to enter information that will be incorporated on your certificate request as show below:
- State or Province: e.g. CENTRAL
- Locality Name: Name of City e.g. NAIROBI
- Organisation Name: e.g. MY SAMPLE COMPANY
- Organizational Unit Name (eg, section) : e.g. IT DEPARTMENT
- Common Name (e.g. server FQDN or YOUR name) : The exact domain name or public IP address e.g. www.example.com
- Email Address: e.g. firstname.lastname@example.org
After answering the questions above, the private and crt files will be placed on the path that you specified on the OpenSSL command. For instance, in our case, the private key will be placed in
/etc/ssl/private/my.key while the CRT will be placed in /etc/ssl/certs/my.crt
Step 3: Enable port 443
You should enable apache to run on port 443 if you have installed any firewall e.g. on UFW run the command below:
sudo ufw allow 443
sudo ufw allow https
Step 4: Enable the default configuration file for SSL
By default, the default SSL virtual host that ships with Apache is disabled by default. You need to enable it by using the command below:
sudo a2ensite default-ssl.conf
Step 5: Restart Apache
We can now restart apache for the changes to take effect by typing the command below on a terminal window:
sudo systemctl restart apache2
Step 6: Testing encryption
Enter your server’s public IP address or domain name on a browser preceded with https to test if encryption is working. Don’t worry if you see a certificate warning, this is because we are using a self-signed certificate that is not on the list of your browser’s trusted authorities.
That’s the basic procedure of installing a self-signed certificate on your Ubuntu 18.04 server. Any communication on your server will now be encrypted. Remember it is more appropriate to use self-signed certificates if clients reach your web application using an IP address.
For instance, use the certificate when implementing a non-user facing application. If you have a domain name, you might find more useful to use a trusted certificate from the Let’s Encrypt open source foundation.