Setting Up HTTPS on Apache Web Server and Ubuntu

This post was adopted from our Laboratory Exercise in class.

Generate a Certificate Signing Request

These instructions are adapted from the Ubuntu 10.04 Server Guide onĀ Certificates. Please refer to that guide for explanations and other options.

1. Generate the keys for the Certificate Signing Request (CSR)

openssl genrsa -des3 -out server.key 1024

2. Create the insecure key.

openssl rsa -in server.key -out server.key.insecure
mv server.key server.key.secure
mv server.key.insecure server.key

3. Create the CSR.

openssl req -new -key server.key -out server.csr

Fill in the appropriate information.

Create a Self-Signed Certificate

1. Create the self-signed certificate

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

This creates server.crt

2. Install the self-signed certificate

sudo cp server.crt /etc/ssl/certs
sudo cp server.key /etc/ssl/private

Now you can configure applications with the ability to use public-key cryptography to use the certificate and key files.

Enable HTTPS

1. Enable ssl

sudo a2enmod ssl

2. Enable the default-ssl site.

sudo a2ensite default-ssl

3. Restart the server.

sudo service apache2 restart

Visit your web site using the URL https://localhost. Examine the SSL certificate presented by the server to the web browser. What details are listed?

Modify the default-ssl to point to your generated certificate

Change:

SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

to:

SSLCertificateFile /etc/ssl/certs/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key

Reexamine the certificates presented when you visit https://localhost. What information do you get now?

To Disable HTTPS

1. Disable ssl

sudo a2dismod ssl

EDIT: (January 27, 2012) 2. Enable the default-ssl site.

2. Disable the default-ssl site.

sudo a2dissite default-ssl

3. Restart the server.

sudo service apache2 restart

4 thoughts on “Setting Up HTTPS on Apache Web Server and Ubuntu”

  1. This tutorial helped me a lot, along with a link I found over at stackoverflow: http://stackoverflow.com/questions/4294689/how-to-generate-a-key-with-passphrase-from-the-command-line

    One thing I noticed was that at some point the two guides seemed to reverse the role of the private/public keys, but this confusion was cleared up when I realized the SO link used the -pubout flag on the second step of key creation, where the default output (without the -pubout flag) generates the private key output such as you do here.

    The documentation I found that let me sort it all out was (gasp!) a subsection of the official openssl docs:
    http://www.openssl.org/docs/apps/rsa.html

    Anyway, thanks for the helpful tutorial, and I hope these links are useful to others along the way.

  2. Are you sure?:
    Enable the default-ssl site.
    sudo a2dissite default-ssl

    You should copy, as you say, and not move, when using SELinux, when you do:
    sudo cp server.crt /etc/ssl/certs
    sudo cp server.key /etc/ssl/private

Leave a Reply