All About Linux, Security and Forensics: Install SSL and HTTPS on Ubuntu Server

Step 0: Install openssl using apt-get

Step 1: Generate a Private Key -

openssl genrsa -des3 -out server.key 1024

Step 2: Generate a CSR (Certificate Signing Request) -

openssl req -new -key server.key -out server.csr

When asked for Common Name – make sure to fill either public IP or full qualified domain name (sub.domain.com).

Step 3: Remove Passphrase from Key -

cp server.key server.key.org

openssl rsa -in server.key.org -out server.key

Step 4: Generating a Self-Signed Certificate -

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

Step 5: Copy the server.crt and server.key files into position -

cp server.key /etc/apache2/ssl

cp server.crt /etc/apache2/ssl

Step 6: Enable ssl -

a2enmod ssl

Step 7: Create a stub SSL conf. file (if needed) and establish a necessary symlink -

7.1 – If using an Ubuntu prior to ~10.04:

cp /etc/apache2/sites-available/default /etc/apache2/sites-available/default-ssl

Then symlink to sites-enabled:

ln -s /etc/apache2/sites-available/default-ssl /etc/apache2/sites-enabled/000-default-ssl

Step 8: Set up the SSL document root -

cd /var

mkdir www-ssl

Step 9: Configure virtual hosts -

sudo su

cd /etc/apache2/sites-available

cp /etc/apache2/sites-available/default default_original

(Note: If using Ubuntu 10.04+ you may want to backup the original SSL conf also):

cp /etc/apache2/sites-available/default-ssl default-ssl_original

Now you need to declare the IP of your box (or FQDN/DNS name) and document roots you created in a previous step.

To configure HTTP over port 80 (edit /etc/apache2/sites-available/default) and add/replace (replace):

ServerName {Your IP or FQDN}:80

To configure HTTP over port 443 (edit /etc/apache2/sites-available/default) and add/replace (replace):

ServerName {Your IP or FQDN}:443

Step 10: Make sure Apache listens to 443 -

Edit /etc/apache2/ports.conf and verify the following exist (or add it):

Listen 443

Step 11: Make sure the SSL engine is on -

Edit /etc/apache2/ports.conf and verify the following exist (or add it):

SSLEngine On

SSLCertificateFile /etc/apache2/ssl/server.crt

SSLCertificateKeyFile /etc/apache2/ssl/server.key

Step 12: restart apache -

Verify your changes are valid:

apache2ctl configtest

Restart Apache:

apache2ctl restart

Done. you can browse to: https://yourdomain.com .