Secure HTTP (SSL/TLS) has become a must if you are planning to setup a website which includes user authentication (ie. login box) or sensitive data. HTTPS prevents the sensitive data from being transfered across the network in clear text where it is susceptible to being sniffed or altered. Here is the tutorial on how to setup a secure HTTP on Apache web server in Ubuntu 10.04 (Lucid Lynx).
What do you need?
- apache2 (Web Server)
- openssl
- A bit patient, because it will take some time to learn
Step 1: Create a self-signed certificate
You need to create a self-signed certificate with openssl. To do that you will need to generate the server key.
openssl genrsa -des3 -out server-sec.key 4096
…and certificate signing request (CSR)
openssl req -new -key server-sec.key -out server.csr
After that, generate the server certificate by signing it with the server key.
openssl x509 -req -days 365 -in server.csr -signkey server-sec.key -out server.crt
Keep the server-sec.key in a secure location, with read/write permission assigned only to root. Then generate a password-less copy of the key for Apache use.
openssl rsa -in server-sec.key -out server.key
By this time, you should have :
- server.key (passwordless key for Apache)
- server.csr (certificate signing request)
- server.crt (certificate)
- server-sec.key (server key)
Step 2: Enable SSL config in Apache
In this step, you must enable SSL website in Apache by creating a symlink of ‘default-ssl’.
ln -s /etc/apache2/sites-available/default-ssl /etc/apache2/sites-enabled/000-default-ssl
Then edit /etc/apache2/sites-available/default-ssl file using your favorite text editors (I prefer nano!) and change the config from something this:
<Virtualhost *:443>
ServerAdmin webmaster@localhost
ServerName localhost
DocumentRoot /var/www-ssl/html/
…
…
Then, in the same default-ssl file, find a line that begins with “SSLEngine on” and add the following lines.
SSLEngine on
..
..
#SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
#SSLCertificateKeyFile /etc/ssl/certs/ssl-cert-snakeoil.key
SSLCertificateFile /etc/apache2/ssl/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/server.key
Step 3: Final step, Copying certificates and activating SSL
Ensure that the config file has been saved. Then as root, create /etc/apache2/ssl/ directory, then copy the certificate and server key generated from Step 1 to /etc/apache2/ssl/ directory.
mkdir /etc/apache2/ssl
cp server.key /etc/apache2/ssl
cp server.crt /etc/apache2/ssl
After that, enable SSL module by typing
a2enmod ssl
Finally, restart apache2 by typing (as root, sudo) :
/etc/init.d/apache2 restart
Result: A secure HTTP connection
If everything works out fine, you will see this screen.
And this,
Please drop in your comment for suggestions and improvements.
Thank you for the good instructions!
Just wonder.. Why are we using des3 in the key gen? I used aes256.
Did you just use des3 for a reason?
gracias, funcionando en ubuntu 12.04!
Thank you a lot!!! It works ‘from the box’ perfectly on Ubuntu 9.10!!! :)