Setting up SSL/TLS for Apache2 on Ubuntu 17.04

SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are protocols used to secure communications between networks devices or services. It’s commonly used to encrypt web traffic between a client web browser and a web server.

Other network devices and services use SSL/TLS as well,  however, the protocols are mostly use to secure web traffic communications.

This brief tutorial is going to show you how to enable SSL/TLS on Apache2-powered websites to secure communications. When you follow the steps below, traffic coming to your sites will be done over HTTPS as well.

To get started with enabling SSL/TLS configuration for Apache2, follow the steps below:

Step 1: Generate the Server Private Key and CRS

The first step in creating SSL/TLS certificates is to generate the server’s private key and CSR (Certificate Signing Request). The CSR is then used along with the server site/server private key to generate the public certificate for the resource you’re securing.

First let’s create a folder to store your certificates and CSR.

sudo mkdir /etc/apache2/ssl
cd /etc/apache2/ssl

Then run the commands below to create the site or server private key. We’re going to be using a much stronger 4096-bit key for stronger security.

sudo openssl genrsa -out example.com.key 4096

Now that the site/server private key is generated, let’s continue below to generate the CSR. For this, we’re also going to be using a much stronger 512-bit with SHA-2 algorithm.

To generate the CSR, run the commands below

sudo openssl req -new -key example.com.key -out example.com.csr -sha512

When you run the commands above, you’ll be prompted with a lists of fields that you need to fill in. The common name field is the most important and should be the name of the website you’re protecting.

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Minnesota
Locality Name (eg, city) []:Brooklyn
Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Personal Blog
Organizational Unit Name (eg, section) []:SSL Unit
Common Name (e.g. server FQDN or YOUR name) []:example.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:  DO NOT TYPE PASSWORD HERE, LEAVE BLANK
An optional company name []:

Now that the CSR is created, continue below to sign the certificate.

Step 2: Sign the Certificate

After generating the server/site private key and CSR, the last step is to sign a certificate using the server/site private along with the CSR. For that, we’re going to be running the commands below to sign the certificate to be valid for 365 days.

Must be renewed after a year.

sudo openssl x509 -req -days 365 -in example.com.csr -signkey example.com.key -out example.com.crt -sha512

After that, a new certificate called example.com.crt should be ready to use. Now all you have to do is specify the certificate files in Apache2 configurations.

Open the Apache2 SSL config file by running the commands below:

sudo nano /etc/apache2/sites-available/default-ssl.conf

Then edit the file to look line the one below referencing the location of the certs we just created.

# HTTPS server
<IfModule mod_ssl.c>
    <VirtualHost _default_:443>
        ServerAdmin webmaster@localhost
        ServerName  example.com
        ServerAlias www.example.com
        DocumentRoot /var/www/html
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
        SSLEngine on
        SSLCertificateFile /etc/apache2/ssl/example.com.crt
        SSLCertificateKeyFile /etc/apache2/ssl/example.com.key
        <FilesMatch "\.(cgi|shtml|phtml|php)$">
                        SSLOptions +StdEnvVars
        </FilesMatch>
        <Directory /usr/lib/cgi-bin>
                        SSLOptions +StdEnvVars
        </Directory>
        BrowserMatch "MSIE [2-6]" \
                        nokeepalive ssl-unclean-shutdown \
                        downgrade-1.0 force-response-1.0
        BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
    </VirtualHost>
</IfModule>

Next, enable Apache2 SSL module and activate the SSL Virtual Host file by running the commands below.

sudo a2enmod ssl
sudo a2ensite default-ssl.conf

Restart Apache2 webserver and you’re done.

sudo systemctl reload apache2.service

Summary:

This post shows you how to generate a self-signed SSL/TLS certificate for websites on Ubuntu 17.04. This should also work on previous version of Ubuntu and other Linux distributions.

When everything is setup as shown above, your site will be able to communicate over HTTPS as well as HTTP. You must enable HTTP redirect to HTTPS to force all traffic to use HTTPS. Search this site for tutorials on setting Apache2 redirects.

You may also like the post below:

How to Secure Nginx Websites using SSL/TLS on Ubuntu 17.04