How to Generate a Self-Signed Certificate for Apache

Securing your Apache web server with a self-signed certificate is an excellent way to encrypt data in transit for testing, development, or internal environments. This guide provides a straightforward, step-by-step walkthrough on how to use OpenSSL to create a self-signed SSL/TLS certificate, configure the Apache web server to use it, and restart the service to apply the changes.

Step 1: Install OpenSSL and Apache mod_ssl

Before generating any certificates, you need to ensure that OpenSSL and the Apache SSL module are installed on your system.

For Ubuntu/Debian systems:

sudo apt update
sudo apt install openssl apache2 libapache2-mod-ssl

For RHEL/CentOS/Fedora systems:

sudo dnf install openssl httpd mod_ssl

Step 2: Generate the Self-Signed Certificate

You can generate the private key and the self-signed certificate with a single OpenSSL command. This command creates a 2048-bit RSA key and a certificate valid for 365 days.

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/apache-selfsigned.key -out /etc/ssl/certs/apache-selfsigned.crt

During this process, you will be prompted for information about your organization. The most critical field is the Common Name (e.g., server FQDN or YOUR name). Enter your server’s IP address or domain name here (for example, localhost or 192.168.1.10).

Step 3: Configure Apache to Use the SSL Certificate

Next, you must point your Apache configuration to the newly created certificate and key files.

On Ubuntu/Debian:

Open the default SSL virtual host configuration file:

sudo nano /etc/apache2/sites-available/default-ssl.conf

Modify or add the ServerName directive and update the paths to match your files:

ServerName localhost

SSLEngine on
SSLCertificateFile /etc/ssl/certs/apache-selfsigned.crt
SSLCertificateKeyFile /etc/ssl/private/apache-selfsigned.key

On RHEL/CentOS/Fedora:

Open the SSL configuration file:

sudo nano /etc/httpd/conf.d/ssl.conf

Find the lines for SSLCertificateFile and SSLCertificateKeyFile and update them:

SSLCertificateFile /etc/ssl/certs/apache-selfsigned.crt
SSLCertificateKeyFile /etc/ssl/private/apache-selfsigned.key

Step 4: Enable the Configuration and Restart Apache

For the changes to take effect, you need to enable the SSL module/site (if using Debian/Ubuntu) and restart the Apache service.

On Ubuntu/Debian:

sudo a2enmod ssl
sudo a2ensite default-ssl
sudo systemctl restart apache2

On RHEL/CentOS/Fedora:

sudo systemctl restart httpd

Step 5: Test Your Server

Open your web browser and navigate to your server using https:// followed by your IP address or domain name. Because this is a self-signed certificate and not signed by a recognized Certificate Authority (CA), your browser will display a security warning. You can safely bypass this warning to verify that your data is now being encrypted over port 443.