Setup Self-Signed SSL/TLS Certificates on Ubuntu 17.04 / 17.10

This brief tutorial shows students and new users how to easily setup a self-signed SSL/TLS certificates on Ubuntu 17.04 / 17.10. Self-Signed certs are suitable for personal use or for applications used internally within an organization.

The reason you use self-signed certs internally is because they’re not trusted by third-party certificate authorities (CA). Public certificates that you find on websites and applications online are vouched by third-parties that the certificate your browser sees is valid and trusted.. these third-parties are known as certificate authorities.

Without this validation by third-party, your computer will warn you that the certificate can’t be trusted. Since you’re only going to be using it internally, you can just ignore the warning. But avoid public websites with non-trusted certificates.

To setup the certificate continue with the steps below

Run the commands below to issue one year self-signed certificate for the domain called mydomain.com

sudo openssl req -new -x509 -sha256 -days 365 -nodes -out /etc/ssl/certs/mydomain.crt -keyout /etc/ssl/private/mydomain.com.key

Then commands create a mydomain.crt and save it in the /etc/ssl/certs directory. It also creates a private key called mydomain.key and store it in the /etc/ssl/private directory.

When you run the commands above, you’ll ask to answer few question about the certificate you’re generating.. like the country and state.

Enter the requested info below.

  • Common Name: The fully-qualified domain name, or URL, you’re securing. For wildcard use this *.mydomain.com.
  • Organization: The legally-registered name for your business. If you are enrolling as an individual, enter the certificate requestor’s name.
  • Organization Unit: If applicable, enter the DBA (doing business as) name.
  • City or Locality: Name of the city where your organization is registered/located.
  • State or Province: Name of the state or province where your organization is located.
  • Country: The two-letter International Organization for Standardization (ISO) format country code for where your organization is legally registered.

Leave the passphrase field blank.

When you’re done, a brand new certificate and key should be generated. The cert will be valid for a yeah.

Configure Nginx to use the Certificate

Now that the certificate is created, the guide below shows you how to use it with Nginx.

Run the commands below to open Nginx default configuration file.

sudo nano /etc/nginx/sites-available/default

Then make sure the highlighted lines are added.

server {
        listen 80 default_server;
        listen [::]:80 default_server ipv6only=on;

        listen 443 ssl;

        root /var/www/html;
        index index.html index.htm;

        server_name mydomain.com;
        ssl_certificate /etc/ssl/certs/mydomain.com.crt;
        ssl_certificate_key /etc/ssl/private/mydomain.com.key;

        location / {
                try_files $uri $uri/ =404;
        }
}

After editing the file above, Nginx will be able to serve requests over both HTTP and HTTPS. Save the file and you’re done.

Restart Nginx webserver.

Configure Apache2 to use the certificate

To configure Apache2 to use the certificate, run the commands below open Apache2 default SSL configuration file.

sudo nano /etc/apache2/sites-available/default-ssl.conf

Then make the highlighted changes below and save the file.

<IfModule mod_ssl.c>
    <VirtualHost _default_:443>
        ServerAdmin admin@mydomain.com
        ServerName mydomain.com
        ServerAlias www.mydomain.com
        DocumentRoot /var/www/html
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
        SSLEngine on
        SSLCertificateFile /etc/ssl/certs/mydomain.com.crt
        SSLCertificateKeyFile /etc/ssl/private/mydomain.com.key
        <FilesMatch "\.(cgi|shtml|phtml|php)$">
                        SSLOptions +StdEnvVars
        </FilesMatch>
        <Directory /usr/lib/cgi-bin>
                        SSLOptions +StdEnvVars
        </Directory>
        BrowserMatch "MSIE [2-6]" \
                        nokeepalive ssl-unclean-shutdown \
                        downgrade-1.0 force-response-1.0
        BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
    </VirtualHost>
</IfModule>

Save the file and you’re done.

Restart Apache2

Congratulations! You’ve just created a self-signed certificate and leaned how to use it with Nginx and Apache2.

Enjoy!

You may also like the post below

How to Install Ghost on Ubuntu 17.04 / 17.10