I want to install a self-signed SSL certificate on my Amazon Elastic Compute Cloud (Amazon EC2) Ubuntu instance that hosts an Apache server.
Short description
To install a self-signed certificate on an Ubuntu instance hosting an Apache server, complete the following steps:
- Open ports 80 and 443.
- Install Apache and OpenSSL Web Server.
- Generate a self-signed certificate.
- Configure Apache to use SSL
- Verify your SSL server.
For information on configuring SSL/TLS on Red Hat or Community Enterprise Linux, such as AlmaLinux and Rocky Linux, see Setting up a webserver to use HTTPS on the redhat.com website.
For information on configuring SSL/TLS on Amazon Linux, see Configure SSL/TLS.
Resolution
Step 1: Open ports 80 and 443
Make sure that the instance's security groups allow traffic on ports 80 and 443.
Step 2: Install Apache and OpenSSL web server
Run the following command to install Apache and OpenSSL on your server:
$ sudo apt-get install apache2 openssl -y
Step 3: Generate a self-signed certificate
1. Public and private keys are used by SSL. Run the following command to create a private key for your domain and a certificate signing request (CSR):
$ sudo openssl req -nodes -newkey rsa:2048 -keyout /etc/ssl/private/private.key -out /etc/ssl/private/request.csr
2. Run the following command to generate an SSL certificate:
$ sudo openssl x509 -in /etc/ssl/private/request.csr -out /etc/ssl/private/certificate.crt -req -signkey /etc/ssl/private/private.key -days 365
The key (private.key) and certificate (certificate.crt) files are now ready for use with the Apache web server.
Step 4: Configure Apache to use SSL
Configure Apache to use the certificate that you created in Step 3: Generate a self-signed certificate.
1. Run the following command to open the default Apache SSL configuration file:
$ sudo vi /etc/apache2/sites-available/default-ssl.conf
2. Use the following paths to define the location of your SSL certificate:
- SSLCertificateFile /etc/ssl/private/certificate.crt
- SSLCertificateKeyFile /etc/ssl/private/private.key
3. Save and close the file, and then run the following command to activate the virtual host file:
$ sudo a2ensite default-ssl.conf
4. Run the following command to open the default virtual host configuration file for Apache:
$ sudo vi /etc/apache2/sites-available/000-default.conf
5. Run the following command to add a redirect to your domain name. The redirect forwards all traffic to the site's SSL version:
Redirect "/" https://Server-IP
6. Run the following commands to turn on the SSL and header modules:
$ sudo a2enmod ssl
$ sudo a2enmod headers
7. Run the following command to reload the Apache service and apply the modifications:
$ sudo systemctl reload apache2
Step 5: Verify your SSL server
1. Launch your web browser and navigate to https://Server-IP. You redirect to a warning page. This is expected because your certificate isn't signed by a trusted certificate authority.
2. Select Proceed to Host. The Apache home page opens. A lock with the words "not secure" appears in the browser address bar. This indicates that the certificate isn't validated, but is encrypting your connection.