Web Servers 6d ago 14 views 4 min read

How to set up a self-signed SSL certificate on Apache

Generate a private key and certificate request, sign it with OpenSSL, and configure Apache to serve traffic over HTTPS on Ubuntu 24.04 and AlmaLinux 9.

R
Roy S
Updated 3h ago
Sponsored

Cloud VPS — scale in minutes

Instantly deploy SSD cloud VPS with guaranteed resources, snapshots and per-hour billing. Pay only for what you use.

Generate a self-signed SSL certificate and configure Apache to serve traffic over HTTPS. These steps apply to Ubuntu 24.04, AlmaLinux 9, Rocky Linux 9, and CentOS Stream 9 using Apache httpd 2.4.62 or later.

Prerequisites

  • Root or sudo access to the server.
  • Apache installed (httpd package).
  • A domain name or subdomain pointing to the server IP (optional for self-signed).
  • OpenSSL installed (usually pre-installed on Linux).

Step 1: Generate a private key and certificate signing request (CSR)

Create the private key and the CSR using OpenSSL. This generates a 2048-bit RSA key and a standard CSR file.

openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
-keyout /etc/apache2/ssl.key \
-out /etc/apache2/ssl.crt \
-subj "/CN=example.com/O=My Company/C=US"

Replace example.com with your actual domain or IP. When prompted for the Common Name (CN), enter the domain you want to secure. Accept the default country code or enter your own.

Generating a 2048 bit RSA private key
writing new private key to '/etc/apache2/ssl.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For example, for item say 'company', you can leave it blank if you wish,
or enter your legal company name.

Step 2: Configure Apache to use the certificate

Edit the default SSL configuration file to point Apache to the new certificate and key. On Ubuntu, the file is typically /etc/apache2/sites-available/000-default-ssl.conf. On AlmaLinux/Rocky/CentOS, it is /etc/httpd/conf.d/ssl.conf.

On Ubuntu, open the file:

sudo nano /etc/apache2/sites-available/000-default-ssl.conf

Ensure the following lines exist and point to your certificate files:

SSLCertificateFile /etc/apache2/ssl.crt
SSLCertificateKeyFile /etc/apache2/ssl.key
SSLCertificateChainFile /etc/apache2/ssl-ca-bundle.crt

On AlmaLinux 9, edit /etc/httpd/conf.d/ssl.conf:

sudo nano /etc/httpd/conf.d/ssl.conf

Update the certificate paths to match your generated files:

SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

If you placed the files in /etc/apache2/ssl.crt and /etc/apache2/ssl.key, update the paths accordingly. For a self-signed cert, you can often omit the chain file unless you have an intermediate CA.

Step 3: Enable the SSL site and restart Apache

Enable the SSL site in Apache and reload the service to apply changes.

On Ubuntu:

sudo a2ensite 000-default-ssl
sudo a2dissite 000-default
sudo systemctl restart apache2

On AlmaLinux 9 or CentOS Stream:

sudo httpd -k restart

Ensure the firewall allows port 443:

sudo ufw allow 'Apache Full'
# Or for firewalld:
sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --reload

Verify the installation

Test the HTTPS connection using curl to ensure the certificate is loaded and the site responds over port 443.

curl -Iv https://example.com

You should see HTTP/2 200 or HTTP/1.1 200 OK in the response headers. The output will include SSL-Protocol: TLSv1.2 or TLSv1.3 and SSL-Session-Id. If you see 403 Forbidden or certificate verify failed, check the paths in the config file.

Troubleshooting

Error: "SSL: certificate verify failed"
This occurs if the certificate file path is wrong or the file is not readable. Check permissions:

ls -l /etc/apache2/ssl.crt /etc/apache2/ssl.key

Ensure the owner is root and permissions are 644 for the cert and 600 for the key. Fix with:

sudo chown root:root /etc/apache2/ssl.crt /etc/apache2/ssl.key
sudo chmod 644 /etc/apache2/ssl.crt
sudo chmod 600 /etc/apache2/ssl.key

Error: "SSL: certificate has expired"
Self-signed certificates expire after the number of days specified in the generation command (default 365). Regenerate the certificate using the same OpenSSL command in Step 1.

openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
-keyout /etc/apache2/ssl.key \
-out /etc/apache2/ssl.crt \
-subj "/CN=example.com/O=My Company/C=US"

Error: "403 Forbidden"
Verify the SSL site is enabled and the default HTTP site is disabled if using the same virtual host. On Ubuntu, ensure 000-default-ssl is enabled and 000-default is disabled. On AlmaLinux, ensure the SSL config is included in the main Apache config.

sudo a2dissite 000-default
sudo a2ensite 000-default-ssl
sudo systemctl restart apache2

Error: "port 443 is blocked"
Check the firewall rules. On UFW, allow port 443 explicitly if the preset profile fails:

sudo ufw allow 443/tcp
sudo ufw reload

Verify Apache is listening on port 443:

sudo netstat -tlnp | grep :443

You should see LISTEN for port 443 bound to 0.0.0.0 or 127.0.0.1. If it is bound only to 127.0.0.1, edit the VirtualHost config to listen on 0.0.0.0 or remove the bind address restriction.

Sponsored

Powerful Dedicated Servers — Linux & Windows

Bare-metal performance with SSD storage, DDoS protection and 24/7 expert support. Ideal for production workloads, databases and high-traffic sites.
Tags: securitysslApacheOpenSSLHTTPS
0
Was this helpful?

Related tutorials

Web Servers
How to build a web server farm with Caddy and Docker

Deploy a scalable, reverse-proxied web server farm using Caddy with Docker Compose on Ubuntu 24.04. This guide…

16
Web Servers
How to install Nginx on Ubuntu 24.04

This guide walks you through installing Nginx 1.24.0 on Ubuntu 24.04 LTS. You will configure the default site,…

14
Web Servers
How to configure a load balancer in Nginx

Set up an Nginx upstream pool and reverse proxy to distribute traffic across multiple backend servers. This gu…

11

Comments 0

Login to leave a comment.

No comments yet — be the first to share your thoughts.