How to Create a Self-signed SSL Certificate on Ubuntu

Reading Time: 3 minutes

An SSL certificate is an electronic ‘document’ that is used to bind together a public security key and a website’s identity information (such as name, location, etc.) by means of a digital signature. The ‘document’ is issued by a certificate provider such as GlobalSign, Verisign, GoDaddy, Comodo, Thawte, and others. For more information, visit the article: What is an SSL Certificate?

In most cases you’ll usually want to use a browser trusted SSL certificate, so a self-signed may not be what you need. In those cases you should buy an SSL from a provider, or get yourself setup with a LetsEncrypt SSL. However, there are times when you just need the SSL for internal test sites. In these cases you can generate a self-signed SSL to secure the connection, the only caveat being that you’ll have to accept an SSL warning when you load.

Generating a Self-Signed SSL on Ubuntu

Pre-Flight Check
  • These instructions are intended for creating a self-signed SSL certificate and assigning it to a domain in Apache.
  • I’ll be working from a Liquid Web Core Managed Ubuntu 14.04 server, and I’ll be logged in as root.
In this article we’re going to be covering how to create a self-signed SSL certificate and assign it to a domain in Apache. Self-signed SSL certificates add security to a domain for testing purposes, but are not verifiable by a third-party certificate provider. Thus, they can result in web browser warnings.
  1. View Loaded Apache Modules, Load SSL if Necessary
    1. First let’s view whether Apache 2 already has the SSL module loaded using information from our article on How to List Which Apache Modules are Enabled on Ubuntu:
      apache2ctl -M | grep sslThe module is already loaded if the result of the above command is:
      ssl_module (shared)Otherwise, we need to load the SSL module:
      a2enmod sslThe output of that command should look similar to:
      Considering dependency setenvif for ssl:
      Module setenvif already enabled
      Considering dependency mime for ssl:
      Module mime already enabled
      Considering dependency socache_shmcb for ssl:
      Enabling module socache_shmcb.
      Enabling module ssl.
      See /usr/share/doc/apache2/README.Debian.gz on how to configure SSL and create self-signed certificates.
      To activate the new configuration, you need to run:
      service apache2 restart
    2. And now we’ll restart Apache:
      service apache2 restart
  2. Setup the Environment, and Create the Self-signed SSL Certificate
    1. Make a directory to store the certificate and the server key:
      mkdir /etc/apache2/ssl
    2. Generate the SSL via OpenSSL with the following command:
      openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt
      The command above generates a 2048-bit private key and corresponding CRT. These will remain valid for 365 days and the files are placed into the new directory. The output of the above command will result in the following, of which you’ll need to answer a few questions:
      Generating a 2048 bit RSA private key
      ............+++
      ...........+++
      writing new private key to '/etc/apache2/ssl/apache.key'
      -----
      You are about to be asked to enter information that will be incorporated into your certificate request.
      What you are about to enter is what is called a Distinguished Name or a DN.
      There are quite a few fields but you can leave some blank
      For some fields there will be a default value,
      If you enter '.', the field will be left blank.
      -----
      Country Name (2 letter code) [AU]: US
      State or Province Name (full name) [Some-State]: Michigan
      Locality Name (eg, city) []: Lansing
      Organization Name (eg, company) [Internet Widgits Pty Ltd]: Liquid Web
      Organizational Unit Name (eg, section) []: KB
      Common Name (e.g. server FQDN or YOUR name) []: kb.thebestfakedomainnameintheworld.com
      Email Address []: email@thebestfakedomainnameintheworld.com
    Quick Tip:
    It is very important that the Common Name be set appropriately. Enter your fully qualified domain name (FQDN) here or, if you don’t have an FQDN, then your site’s IP address.
  3. Add the Self-signed SSL Certificate to Apache
    For a refresher on editing files with vim see: New User Tutorial: Overview of the Vim Text Editor

      1. Now that the private key and associated CSR have been generated, we need to edit the SSL configuration file for Apache:
        vim /etc/apache2/sites-available/default-ssl.conf
      2. Find the section:
        VirtualHost _default_:443
      3. Then, find:
        ServerAdmin webmaster@localhost
      4. And add the following Virtual Host configuration on the next line:
        ServerName kb.thebestfakedomainnameintheworld.com:443

        Note:
        Be sure to replace kb.thebestfakedomainnameintheworld.com with your fully qualified domain name or server IP address for your Virtual Host. Keep in mind, that the domain should be the same as the Common Name specified in the previous step.
      5. Verify that the following variables are set appropriately in the same file:
        SSLEngine on
        SSLCertificateFile /etc/apache2/ssl/apache.crt
        SSLCertificateKeyFile /etc/apache2/ssl/apache.key

        Then exit and save the file with the command :wq .
  4. Activate the Virtual Host
    1. Activate the virtual host with the command:
      a2ensite default-ssl
    2. Then restart Apache once more:
      service apache2 restart

In this tutorial my test domain was kb.thebestfakedomainnameintheworld.com, so I can now visit https://kb.thebestfakedomainnameintheworld.com to test the SSL certificate setup. Use https://yourdomain to test your new self-signed SSL certificate!

Avatar for J. Mays

About the Author: J. Mays

As a previous contributor, JMays shares his insight with our Knowledge Base center. In our Knowledge Base, you'll be able to find how-to articles on Ubuntu, CentOS, Fedora and much more!

Latest Articles

Blocking IP or whitelisting IP addresses with UFW

Read Article

CentOS Linux 7 end of life migrations

Read Article

Use ChatGPT to diagnose and resolve server issues

Read Article

What is SDDC VMware?

Read Article

Best authentication practices for email senders

Read Article