Secure Your Apache Websites With Ssl Self Signed Certificates

Like many others I’m running some websites/webapps at home, which I published to the outside world to gain access anywhere and on anydevice. This can be easily done by Apache, especially by using virtual hosts and reverse proxying. One thing I found annoying that I was publishing my sites over HTTP. While it isn’t mission critical data, I just don’t like the idea that it can be read by anyone, who managed it to capture (some of) the packets. The solution to this is simple, create or buy a certificate and publish the websites/apps over HTTPS. In my case I wanted to create a wildcard certificate, cause I published my sites as subdomain, like;


Below you find the steps how I managed it to published this sites over HTTPS. First make sure you have installed openssl, on the most Linux distributions nowadays, is this a simple task, i.e. Debian.

aptitude install openssl

Let’s create a directory for the certificates, in my case I created in the root directory.

mkdir /root/ca cd /root/ca

First create a private CA key

openssl genrsa -aes256 -out ca.key 2048

It will ask you for a pass phrase. Now we have a key, we create a root certificate for the CA.

openssl req -new -x509 -days 3650 -key ca.key -out ca.crt

The request will ask some questions, which are fairly easy to answer. Now we have root certificate we can start creating the actual certificate for the webserver. It looks like the above commands, we create a key and request the certificate.

openssl genrsa -aes256 -out wildcard.key 1024 openssl req -new -key wildcard.key -out wildcard.csr

It is important that when asked for the common name, you fill in the exact FQDN of the server; in case of a wildcard certificate, you can use * The difference with the root certificate is, we just created a request, we have to sign it with the root certificate;

openssl x509 -req -in wildcard.csr -out wildcard.crt -sha1 -CA ca.crt -CAkey ca.key -CAcreateserial -days 3650

It will ask for the pass phrase of the root CA key. It is a good idea to make the keys only readable by the owner (root?);

chmod 400 *.key

Now we have the key, we can make the Apache configuration. First let’s put the certificates in a more appropriate directory.

mkdir /etc/apache2/ssl cp *.crt /etc/apache2/ssl/

Go to the Apache configuration file and add the following rules.

SSLEngine on SSLCertificateFile /etc/apache2/ssl/wildcard.crt SSLCertificateKeyFile /etc/apache2/ssl/wildcard.key SSLCertificateChainFile /etc/apache2/ssl/ca.crt

Restart Apache and enter the pass phrase for the key, now you should be able o access your websites over HTTPS, don’t forget to add port 443 to the access port! If you don’t want the warnings when you visit one of your own sites, you can add the certificates to the trust list. A complete reverse proxy with SSL offloading, could look like this;

<VirtualHost *:443> ServerName #Enable SSL SSLEngine on SSLCertificateFile /etc/apache2/ssl/wildcard.crt SSLCertificateKeyFile /etc/apache2/ssl/wildcard.key SSLCertificateChainFile /etc/apache2/ssl/ca.crt #Enable Reverseproxying ProxyRequests Off <Proxy *> AuthType Basic AuthName “Authentication needed” AuthUserFile /etc/apache2/passwd/globalpw Require valid-user Order Deny,Allow Allow from all ProxyPass / ProxyPassReverse /

Little note (Thanks to Steph): Don’t forget to edit your ports.conf, with the following lines, to make sure your Apache installation is listening to port 443 (https).

NameVirtualHost *:443 Listen 443

Rob Maas
Rob Maas
Technical Challanger at ON2IT

If it is broken, fix it! If it ain’t broken, make it better!