Creating a self-signed SSL certificate: Ubuntu

Following is a step-by-step guide to creating a self-signed SSL certificate for apache2 on the Ubuntu linux distribution. Procedures here are sufficiently different from my selfsign.html guide applying to other linux distributions that it warranted a separate document.

Note that this document can be used a couple different ways. If you follow all the steps you'll have a self-signed SSL certificate and (hopefully) a working SSL site. If you'd rather generate a Certificate Authority (CA) which you can use to sign multiple certificates, then you should read this document, my general purpose selfsign.html document, and start with the section at the end of this document: Generating a CA under Ubuntu.

(1) Preliminaries and Packages.

If you have a registered DNS name, be sure that you properly set it up. On the Gnome console: System->Administration->Networking:General. Your host/domain name here should match the one you'll be using in later steps.

Use apt-get (apt-get install apache2), Synaptic or some other tool to get and install apache2. You should also have openssl (most likely already installed).

su to the superuser and make a backup of the original apache configuration file. Call it whatever you want. My practice is to add "_original" to any default configuration file before I make changes and a "_YYYY_MMDD" timestamp to later versions I modify -- whatever works for you. If this is the first time you've ever done this, you may want to take backups at incremental change points.

You should not make a backup of the file in the sites-enabled directory, since both the original and backup will be loaded when you restart apache (I discovered this behavior). Also note that a symlink exists from /etc/apache2/sites-enabled/000-default to /etc/apache2/sites-available/default. Instead, back it up in the sites-available directory or some other location.

sudo su
cd /etc/apache2/sites-available
cp /etc/apache2/sites-available/default default_original

(2) Run the SSL certificate generating script.

The /usr/sbin/apache2-ssl-certificate script lacks the "-days xxx" flag, and creates a certificate that only lasts a month by default. One visitor to this web page suggested that the script accepts standard arguments so you can pass additional flags to it. I've not verified this to be true yet, but I'm almost certain he is correct. For example, to generate a self-signed certificate that lasts one year:

/usr/sbin/apache2-ssl-certificate -days 365

An alternative is to modify the /usr/sbin/apache2-ssl-certificate script itself. If you open this script with an editor, you can see that it's just a thin shell over native openssl commands. Make a back up this script. You'll see a portion in it that looks like this:

export RANDFILE=/dev/random
openssl req $@ -config /usr/share/apache2/ssleay.cnf \
  -new -x509 -nodes -out /etc/apache2/ssl/apache.pem \
  -keyout /etc/apache2/ssl/apache.pem

Change it to this if want your self-signed cert. to last a full year:

export RANDFILE=/dev/random
openssl req $@ -config /usr/share/apache2/ssleay.cnf \
  -new -x509 -days 365 -nodes -out /etc/apache2/ssl/apache.pem \
  -keyout /etc/apache2/ssl/apache.pem

Then run the tweaked version, answering the questions as they come. When you're more comfortable working with openssl, you can check out my other doc Creating a self-signed SSL certificate, run the commands natively or modify this script further to suit your tastes.

apache2-ssl-certificate

(3) Enable ssl.

a2enmod ssl

(4) Establish a necessary symlink.

The first command copies the default configuration file for port 80, to use it as a stub configuration file for 443. The second command establishes a symlink from the 'available' ssl file to the 'enabled' file. The symlinking methodology between the two directories (as well as mods-available and mods-enabled) is an arrangement briefly explained in /etc/apache2/README. The general idea is that enabled files exist as symlinks created to their available counterparts.

cp /etc/apache2/sites-available/default /etc/apache2/sites-available/ssl
ln -s /etc/apache2/sites-available/ssl /etc/apache2/sites-enabled/ssl

(5) Set up the document roots.

The default location for HMTL pages with an initial install of Ubuntu is /var/www and there exists no separate place for ssl files. I prefer to serve up basic HTML pages in /var/www/html and SSL pages in /var/www-ssl/html. Whatever works for you. But at this point I create the directories.

cd /var/www
mkdir html
cd /var
mkdir www-ssl
cd www-ssl
mkdir html

(6) Configure virtual hosts.

Here you need to tell the apache configuration file the IP of your box, DNS name (if any) and document roots you just created in the previous step.

To configure HTTP over port 80 (edit /etc/apache2/sites-available/default):

NameVirtualHost *:80

(Note: Look down just a bit and make a change to the virtual host settings.)
<VirtualHost *:80>
ServerName localhost
DocumentRoot /var/www/html
(Note: Use your assigned IP or DNS name followed with ":80" if you have one for ServerName).

Similar procedure for HTTPS over port 443 (edit /etc/apache2/sites-available/ssl):

NameVirtualHost *:443

(Note: Look down just a bit and make a change to the virtual host settings.)
<VirtualHost *:443>
ServerName localhost
DocumentRoot /var/www-ssl/html
(Note: Again, use your assigned IP or a DNS name followed with ":443" if you have one for ServerName.)

(7) Instruct apache2 to listen to 443.

Go to this file /etc/apache2/ports.conf and add the following to it:

Listen 443

I noted with Ubuntu 7.10, the ports.conf may already have an IfModule clause in it for the SSL portion:

<IfModule mod_ssl.c>
    Listen 443
</IfModule>

(8) Turn on the SSL engine.

In the middle of /etc/apache2/sites-available/ssl file, after the commented area which says "# Possible values include: debug, info, notice, warn, error, crit..." add the following:

SSLEngine On
SSLCertificateFile /etc/apache2/ssl/apache.pem

(9) Make an /etc/hosts tweak (if need be) -- and restart apache.

When starting and stopping Apache there may be a complaint such as "Could not determine the server's fully qualified domain name, using 127.0.1.1 for ServerName". You may encounter this if you don't have a DNS name for your server, and are just using a dynamic IP. If this applies to you, go into your /etc/hosts file and make the following changes. Basically, we'll be adding "localhost.localdomain" to the 127.0.0.1 IP and whatever system name you chose when you installed Ubuntu (assuming you've not changed it). The final line below should be there if you have a static IP, and corresponding DNS name registered to it. If this is the case, earlier steps that wanted ServerName should have a value which corresponds to the DNS name also indicated here.

127.0.0.1 localhost localhost.localdomain {your system name}
127.0.1.1 {your system name}
{static IP if you you have one} {fully qualified DNS host name if you have one}

It may be that I first noticed additional behavior with Ubuntu 8.04 Hardy Heron. If you don't have a fully qualified domain name (FQDN) for your box, you may need to make an additional tweak. In your /etc/apache2/apache2.conf file, you may want to add the following line at the very end of the file if apache is still complaining about lacking a fully qualified domain name at startup:

ServerName localhost

Restart apache.

cd /etc/init.d
./apache2 restart

Done -- test it out.

Generating a CA under Ubuntu

Skip this section unless you want to roll your own Ubuntu Certificate Authority (CA) using the openssl commands natively. If this is the route you want to take, then you should get familiar with this document and my selfsign.html document.

The gameplan in a nutshell:

Follow steps #1-4 on selfsign.html, then copy the resulting server.key and server.crt files into /etc/apache2/ssl. There may be an apache.pem file sitting there (if at some point in the past you used the "apache2-ssl-certificate" script supplied with Ubuntu to generate a certificate rather than openssl natively). You'll note that this file may have a symlink aimed at it. Apache won't need the apache.pem file or symlink any longer (if they exist).
You'll then do all of the steps in this document, with the following exceptions: you'll skip #2 (you don't need to use the apache ssl generating script) and in step #8 you'll not reference apache.pem (if it exists). Edit your /etc/apache2/sites-available/ssl file and remove any reference to "SSLCertificateFile /etc/apache2/ssl/apache.pem". Instead, add this:

SSLEngine On
SSLCertificateFile /etc/apache2/ssl/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/server.key
You'll also need to run the /usr/sbin/a2enmod script if you haven't already done so. Go you /usr/sbin/ and type "a2enmod ssl". If you look at this script, it's simply a general purpose utility to establish a symlink between a module in /etc/apache2/mods-available to /etc/apache2/mods-enabled (or give a message to the effect that a given module doesn't exist or that it's already symlinked for loading).
Restart apache and test it out.

Sources
Ubuntu discussion forum (not quite complete)
Creating a self-signed SSL certificate (command-line openssl procedures)

The views and opinions expressed in this page are strictly those of the page author.
The contents of this page have not been reviewed or approved by the University of Minnesota.

The views and opinions expressed in this page are strictly those of the page author.The contents of this page have not been reviewed or approved by the University of Minnesota.

The views and opinions expressed in this page are strictly those of the page author.
The contents of this page have not been reviewed or approved by the University of Minnesota.