How to Create a Self-signed SSL Certificate on Ubuntu Print

  • 46

An SSL certificate is an electronic ‘document’ that is used to bind together a public security key and a website’s identity information (such as name, location, etc.) by means of a digital signature. The ‘document’ is issued by a certificate provider such as GlobalSign, Verisign, GoDaddy, Comodo, Thawte, and others.

In this article we’re going to be covering how to create a self-signed SSL certificate and assign it to a domain in Apache. Self-signed SSL certificates add security to a domain for testing purposes, but are not verifiable by a third-party certificate provider. Thus, they can result in web browser warnings.

Step #1: View Loaded Apache Modules, Load SSL if Necessary

First let’s view whether Apache 2 already has the SSL module loaded.

apache2ctl -M | grep ssl

The module is already loaded if the result of the above command is:

ssl_module (shared)

Otherwise, we need to load the SSL module:

a2enmod ssl

The output of that command should look similar to:

Considering dependency setenvif for ssl:
Module setenvif already enabled
Considering dependency mime for ssl:
Module mime already enabled
Considering dependency socache_shmcb for ssl:
Enabling module socache_shmcb.
Enabling module ssl.
See /usr/share/doc/apache2/README.Debian.gz on how to configure SSL and create self-signed certificates.
To activate the new configuration, you need to run:
service apache2 restart

And now we’ll restart Apache:

service apache2 restart

Step #2: Setup the Environment, and Create the Self-signed SSL Certificate

Make a directory to store the certificate and the server key:

mkdir /etc/apache2/ssl

Generate the SSL via OpenSSL with the following command:

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt

The above command will generate a <reference_page_text>2048 -bit private key and corresponding CSR that remains valid for <reference_page_text>365 days, and place those files into the new directory. The output of the above command will result in the following, of which you’ll need to answer a few questions:

Generating a 2048 bit RSA private key
writing new private key to '/etc/apache2/ssl/apache.key'
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]: US
State or Province Name (full name) [Some-State]: Michigan
Locality Name (eg, city) []: Lansing
Organization Name (eg, company) [Internet Widgits Pty Ltd]: XWEB
Organizational Unit Name (eg, section) []: KB
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:

Tip: It is very important that the <reference_page_text>Common Name be set appropriately. Enter your fully qualified domain name (FQDN) here or, if you don’t have an FQDN, then your site’s IP address.

Step #3: Add the Self-signed SSL Certificate to Apache

Now that the private key and associated CSR have been generated, we need to edit the SSL configuration file for Apache:

vim /etc/apache2/sites-available/default-ssl.conf

Find the section:

VirtualHost _default_:443

Then, find:

ServerAdmin webmaster@localhost

And add the following Virtual Host configuration on the next line:


Be sure to replace with your fully qualified domain name or server IP address for your Virtual Host. Keep in mind, that the domain should be the same as the <reference_page_text>Common Name specified in the previous step.

Verify that the following variables are set appropriately in the same file:

SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.crt
SSLCertificateKeyFile /etc/apache2/ssl/apache.key

Then exit and save the file with the command <reference_page_text>:wq .

Step #4: Activate the Virtual Host

Activate the virtual host with the command:

a2ensite default-ssl

Then restart Apache once more:

service apache2 restart

In this tutorial my test domain was, so I can now visit to test the SSL certificate setup. Use https://yourdomain to test your new self-signed SSL certificate!

Was this answer helpful?

« Back