I want to install a self-signed SSL certificate on my Amazon Elastic Compute Cloud (Amazon EC2) Ubuntu instance that hosts an Apache server.
Resolution
Open ports 80 and 443
Make sure that the instance's security groups allow traffic on ports 80 and 443.
Install Apache and OpenSSL web server
Run the following command to install Apache and OpenSSL on your server:
$ sudo apt-get install apache2 openssl -y
For information on configuring SSL/TLS on Amazon Linux, see Configure SSL/TLS.
Generate a self-signed certificate
-
Public and private keys are used by SSL. Run the following command to create a private key for your domain and a certificate signing request (CSR):
$ sudo openssl req -nodes -newkey rsa:2048 -keyout /etc/ssl/private/private.key -out /etc/ssl/private/request.csr
-
Run the following command to generate an SSL certificate:
$ sudo openssl x509 -in /etc/ssl/private/request.csr -out /etc/ssl/private/certificate.crt -req -signkey /etc/ssl/private/private.key -days 365
The key (private.key) and certificate (certificate.crt) files are now ready for use with the Apache web server.
Configure Apache to use SSL
Configure Apache to use the certificate that you created earlier in Generate a self-signed certificate.
-
Run the following command to open the default Apache SSL configuration file:
$ sudo vi /etc/apache2/sites-available/default-ssl.conf
-
Use the following paths to define the location of your SSL certificate:
SSLCertificateFile: /etc/ssl/private/certificate.crt**
SSLCertificateKeyFile:** /etc/ssl/private/private.key
-
Save and close the file, and then run the following command to activate the virtual host file:
$ sudo a2ensite default-ssl.conf
-
Run the following command to open the default virtual host configuration file for Apache:
$ sudo vi /etc/apache2/sites-available/000-default.conf
-
Run the following command to add a redirect to your domain name. The redirect forwards all traffic to the site's SSL version:
Note: "Server-IP" is the IP address of your server.
Redirect "/" https://Server-IP
-
Run the following commands to turn on the SSL and header modules:
$ sudo a2enmod ssl
$ sudo a2enmod headers
-
Run the following command to reload the Apache service and apply the modifications:
$ sudo systemctl reload apache2
Verify your SSL server
To verify your SSL server, follow these steps:
- Launch your web browser, and then navigate to https://Server-IP. The web browser redirects you to a warning page. This is expected because your certificate isn't signed by a trusted certificate authority.
- Select Proceed to Host. The Apache home page opens. A lock with the words "not secure" appears in the browser address bar. This indicates that the certificate isn't validated, but is encrypting your connection.
For information on configuring SSL/TLS on Red Hat or Community Enterprise Linux, see Setting up a webserver to use HTTPS on the Red Hat website.