Secure your Apache websites with SSL (self-signed certificates)

Like many others I’m running some websites/webapps at home, which I published to the outside world to gain access anywhere and on anydevice. This can be easily done by Apache, especially by using virtual hosts and reverse proxying. One thing I found annoying that I was publishing my sites over HTTP. While it isn’t mission critical data, I just don’t like the idea that it can be read by anyone, who managed it to capture (some of) the packets.

The solution to this is simple, create or buy a certificate and publish the websites/apps over HTTPS. In my case I wanted to create a wildcard certificate, cause I published my sites as subdomain, like;

    • site1.mydomain.com
    • site2.mydomain.com

Below you find the steps how I managed it to published this sites over HTTPS.
First make sure you have installed openssl, on the most Linux distributions nowadays, is this a simple task, i.e. Debian.

aptitude install openssl

Let’s create a directory for the certificates, in my case I created in the root directory.

mkdir /root/ca
cd /root/ca

First create a private CA key

openssl genrsa -aes256 -out ca.key 2048

It will ask you for a pass phrase.

Now we have a key, we create a root certificate for the CA.

openssl req -new -x509 -days 3650 -key ca.key -out ca.crt

The request will ask some questions, which are fairly easy to answer.

Now we have root certificate we can start creating the actual certificate for the webserver. It looks like the above commands, we create a key and request the certificate.

openssl genrsa -aes256 -out wildcard.key 1024
openssl req -new -key wildcard.key -out wildcard.csr

It is important that when asked for the common name, you fill in the exact FQDN of the server; in case of a wildcard certificate, you can use *.mydomain.com.

The difference with the root certificate is, we just created a request, we have to sign it with the root certificate;

openssl x509 -req -in wildcard.csr -out wildcard.crt -sha1 -CA ca.crt -CAkey ca.key -CAcreateserial -days 3650

It will ask for the pass phrase of the root CA key.

It is a good idea to make the keys only readable by the owner (root?);

chmod 400 *.key

Now we have the key, we can make the Apache configuration.

First let’s put the certificates in a more appropriate directory.

mkdir /etc/apache2/ssl
cp *.crt /etc/apache2/ssl/

Go to the Apache configuration file and add the following rules.

SSLEngine on
SSLCertificateFile /etc/apache2/ssl/wildcard.crt
SSLCertificateKeyFile /etc/apache2/ssl/wildcard.key
SSLCertificateChainFile /etc/apache2/ssl/ca.crt

Restart Apache and enter the pass phrase for the key, now you should
be able o access your websites over HTTPS, don’t forget to add port 443 to the access port!

If you don’t want the warnings when you visit one of your own sites, you can add the certificates to the trust list.

A complete reverse proxy with SSL offloading, could look like this;

<VirtualHost *:443>
ServerName site1.mydomain.com

#Enable SSL
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/wildcard.crt
SSLCertificateKeyFile /etc/apache2/ssl/wildcard.key
SSLCertificateChainFile /etc/apache2/ssl/ca.crt

#Enable Reverseproxying
ProxyRequests Off

<Proxy *>
AuthType Basic
AuthName “Authentication needed”
AuthUserFile /etc/apache2/passwd/globalpw
Require valid-user

Order Deny,Allow
Allow from all
</Proxy>

ProxyPass / http://192.168.1.1/
ProxyPassReverse / http://192.168.1.1/
</VirtualHost>

Little note (Thanks to Steph):

Don’t forget to edit your ports.conf, with the following lines, to make sure your Apache installation is listening to port 443 (https).

NameVirtualHost *:443
Listen 443

Facebooktwittergoogle_plusredditpinterestlinkedinmailby feather

6 thoughts on “Secure your Apache websites with SSL (self-signed certificates)

    • Correct or use the star sign, to create a wildcard.

      The browsers will always generate a warning, cause the certificates are self-signed, to bypass this, add the root certificate to the trusted list.

  1. Hey Rob,

    An official thanks, since your article helped me fixing this for my sites :). You should however add the ports.conf part to your manual:
    NameVirtualHost *:443
    Listen 443

    (and for everyone fighting with apache: don’t reload but restart 😉 )

  2. Steph :

    Hey Rob,

    An official thanks, since your article helped me fixing this for my sites :) . You should however add the ports.conf part to your manual:
    NameVirtualHost *:443
    Listen 443

    (and for everyone fighting with apache: don’t reload but restart ;) )

    Thank you, it is added.

Leave a Reply

Your email address will not be published. Required fields are marked *

*