## Table of Contents
– [Introduction](#introduction
– [Prerequisites](#prerequisites
– [Creating the SSL Certificate](#creating-the-ssl-certificate
– [Configuring Apache to Use SSL](#configuring-apache-to-use-ssl
– [Constructing an Apache Configuration Snippet with Strong Encryption Settings](#constructing-an-apache-configuration-snippet-with-strong-encryption-settings
– [Adjusting the default Apache SSL Virtual Host File](#adjusting-the-default-apache-ssl-virtual-host-file
– [Adjusting the HTTP Host File to Redirect to HTTPS – Recommended](#adjusting-the-http-host-file-to-redirect-to-https-recommended
– [Adjusting the Firewall](#adjusting-the-firewall
– [Enabling the Changes in Apache](#enabling-the-changes-in-apache
– [Changing to a Permanent Redirect](#changing-to-a-permanent-redirect
– [Conclusion](#conclusion
## Introduction
SSL (secure sockets layer which followed by TLS or transport layer security is a standard security technology which is to establish an encrypted link between a web server and a browser. After making a secure connection the transmitted data will be encrypted using a session key, by itself, browser requests server identify then the server sends its SSL certificate, including with server public key.
Now following on we going to discuss how to fabricate(create SSL certification by using Apache on ubuntu 18.04 server.
## Prerequisites
You should have access to an Ubuntu 18.04 server and created a non-root user account with sudo privileges by following our guide, [Initial server setup with Ubuntu 18.04](https://systemongrid.com/support/guides/how-to-do-initial-server-setup-with-ubuntu-18.04.
You should have installed Apache by following our guide, How to Install Apache web server on Ubuntu 18.04.
## Creating the SSL Certificate
SSL works is a combination of public key and private key at server point, And here SSL certificate kept as a secret because it helps to encrypt the data sent to the client. SSL certificate is freely shared with the public to request data and also decrypt the data signed by the related SSL key.
If you want to do some modifications at configuration file to get upgrade levels. To generate a self-signed key and certificate pair with OpenSSL with a single command:
“`
$ sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/apache-selfsigned.key -out /etc/ssl/certs/apache-selfsigned.crt
“`
By executing the command it has some questions to build server in order to place the information properly in the certificate.
Output
![sslapacheuserinformation](https://grid.media/assets/images/ssl-certificate-apache-user-information-02132019.png
Both files you created will be placed in subdirectories of the /etc/ssl directory.
## Configuring Apache to Use SSL
Finally, we created an SSL certificate by using /etc/ssl directory. now we need to some modifications at our Apache configuration.
### To determine strong default SSL settings create a configuration snippet.
### To your generated SSL certificates you need to adopt included Apache virtual host file.
### You need to adjust unencrypted virtual host file necessarily alter requests to the encrypted virtual host.
By finishing you should have a secure SSL configuration.
## Constructing an Apache Configuration Snippet with Strong Encryption Settings
Here we need to construct Apache configuration snippet to describe some SSL settings. By this Apache act as a strong SSL chipper suite and it will show some leading features which help to keep your server as secure.
“`
$ sudo nano /etc/apache2/conf-available/ssl-params.conf
“`
Place the below configuration into the ssl-params.conf
“`
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On
# Disable preloading HSTS for now. You can use the commented out header line that includes
# the “preload” directive if you understand the implications.
# Header always set Strict-Transport-Security “max-age=63072000; includeSubDomains; preload”
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
# Requires Apache >= 2.4
SSLCompression off
SSLUseStapling on
SSLStaplingCache “shmcb:logs/stapling-cache(150000”
# Requires Apache >= 2.4.11
SSLSessionTickets Off
“`
When you placed above text save the file and close it.
## Adjusting the Default Apache SSL Virtual Host File
After that, modify /etc/apache2/sites-available/default-ssl.conf, default Apache virtual host file.if in case you using another server block file, place the file name which you using at commands below.
“`
$ sudo cp /etc/apache2/sites-available/default-ssl.conf/etc/apache2/sites-available/default-ssl.conf.bak
“`
Now, you can do adjustments at your SSL virtual host file:
“`
$ sudo nano /etc/apache2/sites-available/default-ssl.conf
“`
Output
![sslvirtualhost](https://grid.media/assets/images/ssl-virtual-host-02132019.png
Here we do some small changes in the Nano editor, changes are placed in below screenshot.
![editingsslvirtualhost](https://grid.media/assets/images/editing-ssl-virtual-host-02132019.png
After editing those lines, save the file and close it.
## Adjusting the HTTP Host File to Redirect to HTTPS – Recommended
At the server, it views you both the encrypted HTTP and unencrypted HTTPS traffic. In most cases, it recommends redirecting HTTP to HTTPS necessarily for security purpose. We don’t require all this functionality simply you can skip this section.
“`
$ sudo nano /etc/apache2/sites-available/000-default.conf
“`
At this configuration blocks, you need to add the Redirect directive.
Output
“`
. . .
Redirect “/” “https://your_domain_or_IP/”
. . .
“`
When you placed your IP save and close the file.
## Adjusting the Firewall
If in case you have a ufw firewall enabled then you need to arrange the settings to allow for accessing SSL traffic. By default, Apache registers to some profiles with ufw at installation.
Let see the profiles editing at a terminal:
“`
$ sudo ufw app list
“`
Output
![sslapacheufwapplist](https://grid.media/assets/images/ssl-certificate-apache-ufw-app-list-02132019.png
To check the current setting by typing:
“`
$ sudo ufw status
“`
The output display only HTTP traffic server to access the web server.
Output
![sslapacheufwstatus](https://grid.media/assets/images/ssl-certificate-apache-ufw-status-02132019.png
In advance HTTPS traffic, we can access the Apache full profile and then delete the previous “Apache HTTP” profile allowance:
“`
$ sudo ufw allow ‘Apache Full’
$ sudo ufw delete allow ‘Apache’
“`
It will show like this:
“`
$ sudo ufw status
“`
output
![sslapacheufwfull](https://grid.media/assets/images/ssl-certificate-apache-ufw-status2-02132019.png
## Enabling the Changes in Apache
we make some changes to arrange our firewall, now we can enable the header modules and SSL at Apache. enable your SSL-ready virtual host and then restart Apache.
“`
$ sudo a2enmod ssl
$ sudo a2enmod headers
“`
Then, we do enable your SSL virtual host with the help of below command:
“`
$ sudo a2ensite default-ssl
“`
One more thing you need to enable your ssl-params.conf file. To check the values you placed:
“`
$ sudo a2enconf ssl-params
“`
Here the required modules are enabled so that here we need to check is there any syntax errors.
“`
$ sudo apache2ctl configtest
“`
Output
![apacheconfigurationtest](https://grid.media/assets/images/apache2ctl-02132019.png
If the output you get everything ok with syntax, then it has no errors. so we can restart Apache to make required changes.
“`
$ sudo systemctl restart apache2
“`
## Changing to a Permanent Redirect
If your redirect working at the correct manner then you allow only encrypted traffic, now you need to modify again the unencrypted Apache virtual host.
Once again open your configuration file:
“`
$ sudo nano /etc/apache2/sites-available/000-default.conf
“`
By executing the above command you will the line redirect, add the permanent to that redirect.
“`
. . .
Redirect permanent “/” “https://your_domain_or_IP/”
. . .
“`
Next, save and close the file.
Once open your configuration to check syntax errors:
“`
$ sudo apache2ctl configtest
“`
finally, when you think everything is fine then restart Apache to make it permanent.
“`
$ sudo systemctl restart apache2
“`
## Conclusion
Finally, you have fabricated your Apache server to make a connection with clients for strong encryptions.