Grid Guides

Explore How System On Grid Can Work For You

Grid Guide Topics

How to Fabricate Self-Signed SSL Certificate for Apache on Ubuntu 18.04

Table Of Contents


    ## Table of Contents
    – [Introduction](#introduction
    – [Prerequisites](#prerequisites
    – [Creating the SSL Certificate](#creating-the-ssl-certificate
    – [Configuring Apache to Use SSL](#configuring-apache-to-use-ssl
    – [Constructing an Apache Configuration Snippet with Strong Encryption Settings](#constructing-an-apache-configuration-snippet-with-strong-encryption-settings
    – [Adjusting the default Apache SSL Virtual Host File](#adjusting-the-default-apache-ssl-virtual-host-file
    – [Adjusting the HTTP Host File to Redirect to HTTPS – Recommended](#adjusting-the-http-host-file-to-redirect-to-https-recommended
    – [Adjusting the Firewall](#adjusting-the-firewall
    – [Enabling the Changes in Apache](#enabling-the-changes-in-apache
    – [Changing to a Permanent Redirect](#changing-to-a-permanent-redirect
    – [Conclusion](#conclusion

    ## Introduction

    SSL (secure sockets layer which followed by TLS or transport layer security is a standard security technology which is to establish an encrypted link between a web server and a browser. After making a secure connection the transmitted data will be encrypted using a session key, by itself, browser requests server identify then the server sends its SSL certificate, including with server public key.

    Now following on we going to discuss how to fabricate(create SSL certification by using Apache on ubuntu 18.04 server.

    ## Prerequisites

    You should have access to an Ubuntu 18.04 server and created a non-root user account with sudo privileges by following our guide, [Initial server setup with Ubuntu 18.04](https://systemongrid.com/support/guides/how-to-do-initial-server-setup-with-ubuntu-18.04.

    You should have installed Apache by following our guide, How to Install Apache web server on Ubuntu 18.04.

    ## Creating the SSL Certificate

    SSL works is a combination of public key and private key at server point, And here SSL certificate kept as a secret because it helps to encrypt the data sent to the client. SSL certificate is freely shared with the public to request data and also decrypt the data signed by the related SSL key.

    If you want to do some modifications at configuration file to get upgrade levels. To generate a self-signed key and certificate pair with OpenSSL with a single command:

    “`
    $ sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/apache-selfsigned.key -out /etc/ssl/certs/apache-selfsigned.crt
    “`

    By executing the command it has some questions to build server in order to place the information properly in the certificate.

    Output

    ![sslapacheuserinformation](https://grid.media/assets/images/ssl-certificate-apache-user-information-02132019.png

    Both files you created will be placed in subdirectories of the /etc/ssl directory.

    ## Configuring Apache to Use SSL

    Finally, we created an SSL certificate by using /etc/ssl directory. now we need to some modifications at our Apache configuration.

    ### To determine strong default SSL settings create a configuration snippet.

    ### To your generated SSL certificates you need to adopt included Apache virtual host file.

    ### You need to adjust unencrypted virtual host file necessarily alter requests to the encrypted virtual host.

    By finishing you should have a secure SSL configuration.

    ## Constructing an Apache Configuration Snippet with Strong Encryption Settings

    Here we need to construct Apache configuration snippet to describe some SSL settings. By this Apache act as a strong SSL chipper suite and it will show some leading features which help to keep your server as secure.

    “`
    $ sudo nano /etc/apache2/conf-available/ssl-params.conf
    “`

    Place the below configuration into the ssl-params.conf

    “`
    SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
    SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
    SSLHonorCipherOrder On
    # Disable preloading HSTS for now. You can use the commented out header line that includes
    # the “preload” directive if you understand the implications.
    # Header always set Strict-Transport-Security “max-age=63072000; includeSubDomains; preload”
    Header always set X-Frame-Options DENY
    Header always set X-Content-Type-Options nosniff
    # Requires Apache >= 2.4
    SSLCompression off
    SSLUseStapling on
    SSLStaplingCache “shmcb:logs/stapling-cache(150000”
    # Requires Apache >= 2.4.11
    SSLSessionTickets Off
    “`

    When you placed above text save the file and close it.

    ## Adjusting the Default Apache SSL Virtual Host File

    After that, modify /etc/apache2/sites-available/default-ssl.conf, default Apache virtual host file.if in case you using another server block file, place the file name which you using at commands below.

    “`
    $ sudo cp /etc/apache2/sites-available/default-ssl.conf/etc/apache2/sites-available/default-ssl.conf.bak
    “`

    Now, you can do adjustments at your SSL virtual host file:

    “`
    $ sudo nano /etc/apache2/sites-available/default-ssl.conf
    “`

    Output

    ![sslvirtualhost](https://grid.media/assets/images/ssl-virtual-host-02132019.png

    Here we do some small changes in the Nano editor, changes are placed in below screenshot.

    ![editingsslvirtualhost](https://grid.media/assets/images/editing-ssl-virtual-host-02132019.png

    After editing those lines, save the file and close it.

    ## Adjusting the HTTP Host File to Redirect to HTTPS – Recommended

    At the server, it views you both the encrypted HTTP and unencrypted HTTPS traffic. In most cases, it recommends redirecting HTTP to HTTPS necessarily for security purpose. We don’t require all this functionality simply you can skip this section.

    “`
    $ sudo nano /etc/apache2/sites-available/000-default.conf
    “`

    At this configuration blocks, you need to add the Redirect directive.

    Output

    “`

    . . .

    Redirect “/” “https://your_domain_or_IP/”

    . . .

    “`

    When you placed your IP save and close the file.

    ## Adjusting the Firewall

    If in case you have a ufw firewall enabled then you need to arrange the settings to allow for accessing SSL traffic. By default, Apache registers to some profiles with ufw at installation.

    Let see the profiles editing at a terminal:

    “`
    $ sudo ufw app list
    “`

    Output

    ![sslapacheufwapplist](https://grid.media/assets/images/ssl-certificate-apache-ufw-app-list-02132019.png

    To check the current setting by typing:

    “`
    $ sudo ufw status
    “`

    The output display only HTTP traffic server to access the web server.

    Output

    ![sslapacheufwstatus](https://grid.media/assets/images/ssl-certificate-apache-ufw-status-02132019.png

    In advance HTTPS traffic, we can access the Apache full profile and then delete the previous “Apache HTTP” profile allowance:

    “`
    $ sudo ufw allow ‘Apache Full’
    $ sudo ufw delete allow ‘Apache’
    “`

    It will show like this:

    “`
    $ sudo ufw status
    “`
    output

    ![sslapacheufwfull](https://grid.media/assets/images/ssl-certificate-apache-ufw-status2-02132019.png

    ## Enabling the Changes in Apache

    we make some changes to arrange our firewall, now we can enable the header modules and SSL at Apache. enable your SSL-ready virtual host and then restart Apache.

    “`
    $ sudo a2enmod ssl
    $ sudo a2enmod headers
    “`

    Then, we do enable your SSL virtual host with the help of below command:

    “`
    $ sudo a2ensite default-ssl
    “`

    One more thing you need to enable your ssl-params.conf file. To check the values you placed:

    “`
    $ sudo a2enconf ssl-params
    “`

    Here the required modules are enabled so that here we need to check is there any syntax errors.

    “`
    $ sudo apache2ctl configtest
    “`

    Output

    ![apacheconfigurationtest](https://grid.media/assets/images/apache2ctl-02132019.png

    If the output you get everything ok with syntax, then it has no errors. so we can restart Apache to make required changes.

    “`
    $ sudo systemctl restart apache2
    “`

    ## Changing to a Permanent Redirect

    If your redirect working at the correct manner then you allow only encrypted traffic, now you need to modify again the unencrypted Apache virtual host.

    Once again open your configuration file:

    “`
    $ sudo nano /etc/apache2/sites-available/000-default.conf
    “`

    By executing the above command you will the line redirect, add the permanent to that redirect.

    “`

    . . .

    Redirect permanent “/” “https://your_domain_or_IP/”

    . . .

    “`

    Next, save and close the file.

    Once open your configuration to check syntax errors:

    “`
    $ sudo apache2ctl configtest
    “`

    finally, when you think everything is fine then restart Apache to make it permanent.

    “`
    $ sudo systemctl restart apache2
    “`

    ## Conclusion

    Finally, you have fabricated your Apache server to make a connection with clients for strong encryptions.