There are many times I have needed a secure SSL/TLS connection to access web resources but do not want to buy a SSL/TLS certificate. Creating a self-signed SSL/TLS certificate helps streamline the process of accessing the secure resource by removing the annoying security message on your browser. When you connect to a self-signed SSL/TLS connection you will be given to option to allow the certificate for all future sessions. Now when you connect to your secure resource there will be no extra steps to gain access.

To create a self-signed SSL/TLS certificate for secure HTTPS connections with Apache there are four steps:

1. download and install the SSL/TLS scripts
2. generate a SSL/TLS key
3. create a self-signed SSL/TLS certificate
4. configure Apache to use the SSL/TLS self-signed certificate

Download and Install the SSL/TLS Scripts

Download the following two scripts:

• ssl_genkey.sh
• ssl_cert_selfsign.sh

Set the proper permissions:

sudo 0700 ssl_genkey.sh
sudo 0700 ssl_cert_selfsign.sh

Copy ssl_keygen.sh and ssl_cert_selfsign.sh to /usr/local/sbin:

sudo cp ssl_keygen.sh /usr/local/sbin/
sudo cp ssl_cert_selfsign.sh /usr/local/sbin/

Generate a SSL/TLS Key

Generate the SSL/TLS key with the following command. Replace www.islandlinux.org with the domain you wish to secure via HTTPS.

sudo ssl_genkey.sh www.islandlinux.org

A successful key generation message looks like this:

Created [/etc/apache2/ssl/key/]
Generating RSA private key, 1024 bit long modulus
.++++++
........................................++++++
e is 65537 (0x10001)

Create a Self-Signed SSL/TLS Certificate

Now that the SSL/TLS key has been created it is time to create the actual self-signed certificate:

ssl_cert_selfsign.sh www.islandlinux.org

You will be asked a number of questions as follows. Note that the Common Name is the actual domain name that the SSL/TLS certificate will be generated for.

Created [/etc/apache2/ssl/crt/] directory
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CA
State or Province Name (full name) [Some-State]:British Columbia
Locality Name (eg, city) []:Vancouver
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Island Linux
Organizational Unit Name (eg, section) []:Systems
Common Name (eg, YOUR name) []:www.islandlinux.org
Email Address []:systems@pointonemedia.com

Configure Apache to use the SSL/TLS Self-signed Certificate

Ensure that the Apache 2 SSL module is enabled:

sudo ln -s /etc/apache2/mods-available/ssl.conf /etc/apache2/mods-enabled/

Update your website configuration that is located in the /etc/apache2/sites-enabled/ directory. The following configuration outlines the required Apache configuration to enable the SSL/TLS self-signed certificate. Port 443 must be enabled, the SSL engine must be enabled, and the certificate and key file must be specified:

Listen 443 
<VirtualHost _default_:443>
ServerName www.domainname.com
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/crt/www.domainname.com.crt
SSLCertificateKeyFile /etc/apache2/ssl/key/www.domainname.com.key
</VirtualHost>

Now restart the Apache server to enable your self-signed SSL/TLS certificate:

sudo /etc/init.d/apache2 restart

Resources

• Wikipedia: Secure Sockets Layer
• Apache SSL/TLS Encryption
• Teach Yourself Apache 2: Hour 17: Setting Up a Secure Server