Tutorial

How To Create a SSL Certificate on Apache for Debian 8

Published on June 19, 2015
How To Create a SSL Certificate on Apache for Debian 8
Not using Debian 8?Choose a different version or distribution.
Debian 8

Introduction

This tutorial walks you through the setup and configuration of an Apache server secured with an SSL certificate. By the end of the tutorial, you will have a server accessible via HTTPS.

SSL is based on the mathematical intractability of resolving a large integer into its also-large prime factors. Using this, we can encrypt information using a private-public key pair. Certificate authorities can issue SSL certificates that verify the authenticity of such a secured connection, and on the same note, a self-signed certificate can be produced without third-party support.

In this tutorial, we will generate a self-signed certificate, make the necessary configurations, and test the results. Self-signed certificates are great for testing, but will result in browser errors for your users, so they’re not recommended for production.

If you’d like to obtain a paid certificate instead, please see this tutorial.

Prerequisites

To follow this tutorial, you will need:

  • One fresh Debian 8 Droplet
  • A sudo non-root user, which you can set up by following Steps 2 and 3 of this tutorial
  • OpenSSL installed and updated (should be installed by default)
  1. sudo apt-get update
  2. sudo apt-get upgrade openssl

You may want a second computer with OpenSSL installed, for testing purposes:

  • Another Linux Droplet
  • Or, a Unix-based local system (Mac, Ubuntu, Debian, etc.)

Step 1 — Install Apache

In this step, we will use a built-in package installer called apt-get. It simplifies package management drastically and facilitates a clean installation.

In the link specified in the prerequisites, you should have updated apt-get and installed the sudo package, as unlike other Linux distributions, Debian 8 does not come with sudo installed.

Apache will be our HTTPS server. To install it, run the following:

  1. sudo apt-get install apache2

Step 2 — Enable the SSL Module

In this section, we will enable SSL on our server.

First, enable the Apache SSL module.

  1. sudo a2enmod ssl

The default Apache website comes with a useful template for enabling SSL, so we will activate the default website now.

  1. sudo a2ensite default-ssl

Restart Apache to put these changes into effect.

  1. sudo service apache2 reload

Step 3 — Create a Self-Signed SSL Certificate

First, let’s create a new directory where we can store the private key and certificate.

  1. sudo mkdir /etc/apache2/ssl

Next, we will request a new certificate and sign it.

First, generate a new certificate and a private key to protect it.

  • The days flag specifies how long the certificate should remain valid. With this example, the certificate will last for one year
  • The keyout flag specifies the path to our generated key
  • The out flag specifies the path to our generated certificate
  1. sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt

Invoking this command will result in a series of prompts.

  • Common Name: Specify your server’s IP address or hostname. This field matters, since your certificate needs to match the domain (or IP address) for your website
  • Fill out all other fields at your own discretion.

Example answers are shown in red below.

Interactive
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ——- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:New York Locality Name (eg, city) []:NYC Organization Name (eg, company) [Internet Widgits Pty Ltd]:DigitalOcean Organizational Unit Name (eg, section) []:SSL Certificate Test Common Name (e.g. server FQDN or YOUR name) []:example.com Email Address []:test@example.com

Set the file permissions to protect your private key and certificate.

  1. sudo chmod 600 /etc/apache2/ssl/*

For more information on the three-digit permissions code, see the tutorial on Linux permissions.

Your certificate and the private key that protects it are now ready for Apache to use.

Step 4 — Configure Apache to Use SSL

In this section, we will configure the default Apache virtual host to use the SSL key and certificate. After making this change, our server will begin serving HTTPS instead of HTTP requests for the default site.

Open the server configuration file using nano or your favorite text editor.

  1. sudo nano /etc/apache2/sites-enabled/default-ssl.conf

Locate the section that begins with <VirtualHost _default_:443> and make the following changes.

  • Add a line with your server name directy below the ServerAdmin email line. This can be your domain name or IP address:
/etc/apache2/sites-enabled/default
ServerAdmin webmaster@localhost
ServerName example.com:443
  • Find the following two lines, and update the paths to match the locations of the certificate and key we generated earlier. If you purchased a certificate or generated your certificate elsewhere, make sure the paths here match the actual locations of your certificate and key:
/etc/apache2/sites-enabled/default
 SSLCertificateFile /etc/apache2/ssl/apache.crt
 SSLCertificateKeyFile /etc/apache2/ssl/apache.key

Once these changes have been made, check that your virtual host configuration file matches the following.

/etc/apache2/sites-enabled/default-ssl
<IfModule mod_ssl.c>
	<VirtualHost _default_:443>
		ServerAdmin webmaster@localhost
		ServerName example.com:443
		DocumentRoot /var/www/html
		
		. . .
		SSLEngine on
		
		. . .
		
		SSLCertificateFile /etc/apache2/ssl/apache.crt
		SSLCertificateKeyFile /etc/apache2/ssl/apache.key

Save and exit the file.

Restart Apache to apply the changes.

  1. sudo service apache2 reload

To learn more about configuring Apache virtual hosts in general, see this article.

Step 5 — Test Apache with SSL

In this section, we will test your SSL connection from the command line.

You can run this test from either (1) your local Unix-based system, (2) another Droplet, or (3) the same Droplet. If you run it from an external system you’ll confirm that your site is reachable over the public Internet.

Open a connection via the HTTPS 443 port.

  1. openssl s_client -connect your_server_ip:443

Scroll to the middle of the output (after the key), and you should find the following:

Output
—- SSL handshake has read 3999 bytes and written 444 bytes —- . . . SSL-Session: . . .

Of course, the numbers are variable, but this is success. Congratulations!

Press CTRL+C to exit.

You can also visit your site in a web browser, using HTTPS in the URL (https://example.com). Your browser will warn you that the certificate is self-signed. You should be able to view the certificate and confirm that the details match what you entered in Step 3.

Conclusion

This concludes our tutorial, leaving you with a working Apache server, configured securely with an SSL certificate. For more information on working with OpenSSL, see the OpenSSL Essentials article.

Thanks for learning with the DigitalOcean Community. Check out our offerings for compute, storage, networking, and managed databases.

Learn more about our products

About the authors
Default avatar
Alvin Wan

author

AI PhD Student @ UC Berkeley

I’m a diglot by definition, lactose intolerant by birth but an ice-cream lover at heart. Call me wabbly, witling, whatever you will, but I go by Alvin



Still looking for an answer?

Ask a questionSearch for more help

Was this helpful?
 
5 Comments


This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Great starter tutorial, but possibly a bit misleading. Cypher on a default install of Debian may or may not be secure. The article should really show how to update those as well, and offer a default set for the users.

Strong Ciphers: https://cipherli.st

Test your SSL cert: https://www.ssllabs.com/ssltest/index.html

Can you guys please make an updated version as Chrome gives an error of “self signed certificates”. Thanks.

It tells me that it is an insecure SSL connection, anything I can do against?

Chrome in its latest versions show this error This server could not prove that it is dev.net; its security certificate is from [missing_subjectAltName] Can you please update this method? Thank you very much, i’m using this for a VM debian

The Guide from BetterCrypto is sexy too for strong Encryption

https://bettercrypto.org/

Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!

Sign up

Join the Tech Talk
Success! Thank you! Please check your email for further details.

Please complete your information!

Become a contributor for community

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

DigitalOcean Documentation

Full documentation for every DigitalOcean product.

Resources for startups and SMBs

The Wave has everything you need to know about building a business, from raising funding to marketing your product.

Get our newsletter

Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.

New accounts only. By submitting your email you agree to our Privacy Policy

The developer cloud

Scale up as you grow — whether you're running one virtual machine or ten thousand.

Get started for free

Sign up and get $200 in credit for your first 60 days with DigitalOcean.*

*This promotional offer applies to new accounts only.