SSL (Secure Sockets Layer) is a protocol that provides secure communication between a web server and a web browser. SSL encrypts the data that is transmitted over the network, preventing eavesdropping and tampering. SSL also provides authentication, ensuring that the server and the client are who they claim to be.
To use SSL, you need a certificate and a private key. A certificate is a digital document that contains information about the identity of the server and the public key that corresponds to the private key. A private key is a secret piece of data that is used to encrypt and decrypt the data.
There are two types of certificates: self-signed and signed by a certificate authority (CA). A self-signed certificate is created and signed by the server itself, without any third-party verification. A CA-signed certificate is created by the server and signed by a trusted CA, which verifies the identity of the server.
A self-signed certificate is easy to create and free, but it has some drawbacks. The main drawback is that it is not trusted by web browsers, which will display a warning message when visiting a site that uses a self-signed certificate. A CA-signed certificate is more secure and trusted, but it requires more steps to obtain and may cost money.
In this article, we will show you how to create and use a self-signed certificate for Apache on Debian 11. This is suitable for testing purposes or for internal use, but not for production or public-facing sites.
Prerequisites
Before you begin, you need to have the following:
- A Debian 11 server with Apache installed and running. You can follow this guide to install Apache on Debian 11.
- A sudo user or root access to the server.
- A domain name or an IP address that points to your server.
Step 1: Create a Self-Signed Certificate
We will use OpenSSL to create a self-signed certificate and a private key. OpenSSL is a command-line tool that provides cryptographic functions and utilities.
First, we need to create a directory where we will store our certificate and key files. We will use /etc/ssl/localcerts as an example, but you can choose any location you prefer.
sudo mkdir -p /etc/ssl/localcerts
Next, we will use the openssl req command to generate a self-signed certificate and a private key in one step. The command has several options that we will explain below:
-x509: This option tells OpenSSL to create a self-signed X.509 certificate, which is the standard format for SSL certificates.-nodes: This option tells OpenSSL not to encrypt the private key with a passphrase, which would require us to enter it every time we start Apache.-days 365: This option tells OpenSSL how long the certificate should be valid for, in days. We will use 365 days as an example, but you can choose any value you want.-newkey rsa:2048: This option tells OpenSSL to create a new private key using the RSA algorithm with 2048 bits of length. RSA is one of the most common algorithms for SSL encryption.-keyout /etc/ssl/localcerts/apache.key: This option tells OpenSSL where to save the private key file. We will use/etc/ssl/localcerts/apache.keyas an example, but you can choose any name and location you want.-out /etc/ssl/localcerts/apache.crt: This option tells OpenSSL where to save the certificate file. We will use/etc/ssl/localcerts/apache.crtas an example, but you can choose any name and location you want.
The command looks like this:
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/localcerts/apache.key -out /etc/ssl/localcerts/apache.crt
After running the command, you will be prompted to enter some information about your server and your organization. You can leave most of them blank, but make sure to enter your domain name or IP address as the Common Name (CN). The Common Name is used by web browsers to verify the identity of the server.
The prompts look like this:
Country Name (2 letter code) [AU]:DE
State or Province Name (full name) [Some-State]:Bavaria
Locality Name (eg, city) []:Kirchheim bei München
Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Company
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:example.com
Email Address []:[email protected]
After entering the information, OpenSSL will create the certificate and the key files in the specified locations. You can verify that they are created by listing the directory:
ls -l /etc/ssl/localcerts
You should see something like this:
total 8
-rw-r--r-- 1 root root 1220 Aug 1 10:52 apache.crt
-rw-r--r-- 1 root root 1704 Aug 1 10:52 apache.key
The certificate and the key files should have the correct permissions and ownership, but you can make sure by running the following command:
sudo chmod 600 /etc/ssl/localcerts/apache*
sudo chown root:root /etc/ssl/localcerts/apache*
This will set the permissions to read and write only for the owner (root) and the ownership to root user and group.
Step 2: Configure Apache to Use the Self-Signed Certificate
Now that we have created the certificate and the key files, we need to configure Apache to use them for SSL communication. We will do this by creating a new virtual host file for our domain or IP address.
First, we need to enable the SSL module for Apache, which provides the necessary functionality for SSL encryption. We can do this by running the following command:
sudo a2enmod ssl
This will create a symbolic link from /etc/apache2/mods-enabled/ssl.conf to /etc/apache2/mods-available/ssl.conf, enabling the module.
Next, we need to create a new virtual host file for our domain or IP address. We will use /etc/apache2/sites-available/example.com.conf as an example, but you can choose any name and location you want.
To create the file, run the following command:
sudo nano /etc/apache2/sites-available/example.com.conf
This will open a text editor where you can enter the following configuration:
<VirtualHost *:443>
ServerName example.com
ServerAlias www.example.com
DocumentRoot /var/www/html
SSLEngine on
SSLCertificateFile /etc/ssl/localcerts/apache.crt
SSLCertificateKeyFile /etc/ssl/localcerts/apache.key
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
In this configuration, we are telling Apache to listen on port 443, which is the default port for HTTPS. We are also specifying the server name and alias, which should match your domain name or IP address. We are setting the document root to /var/www/html, which is the default location for web files on Debian. You can change this to any location you want.
The most important part of this configuration is the SSL directives. We are enabling the SSL engine and specifying the paths to our certificate and key files. These should match the locations where you saved them in the previous step.
We are also setting up some logging options for error and access logs. You can modify these as you wish.
Save and close the file when you are done.
To enable the new virtual host file, run the following command:
sudo a2ensite example.com.conf
This will create a symbolic link from /etc/apache2/sites-enabled/example.com.conf to /etc/apache2/sites-available/example.com.conf, enabling the site.
Finally, we need to restart Apache for the changes to take effect. Run the following command:
sudo systemctl restart apache2
Step 3: Test Your Self-Signed Certificate
Now that we have configured Apache to use our self-signed certificate, we can test it by visiting our site in a web browser.
Open your web browser and enter https://example.com in the address bar, replacing example.com with your domain name or IP address.
You should see a warning message from your browser, telling you that your connection is not private or secure. This is because your browser does not trust your self-signed certificate, as it is not signed by a trusted CA.
Depending on your browser, you may have different options to proceed. For example, in Chrome, you can click on Advanced and then Proceed to example.com (unsafe). In Firefox, you can click on Advanced and then Accept the Risk and Continue.
You should see your site’s content, with a padlock icon in the address bar indicating that your connection is encrypted with SSL.
You can also click on the padlock icon and view more details about your certificate. You should see that it is issued by yourself and valid for one year.
In this article, we have shown you how to create and use a self-signed certificate for Apache on Debian 11.