TLS, or transport layer security, and its predecessor SSL, which stands for secure sockets layer, are web protocols used to wrap normal traffic in a protected, encrypted wrapper.
Using this technology, servers can send traffic safely between the server and clients without the possibility of the messages being intercepted by outside parties. The certificate system also assists users in verifying the identity of the sites that they are connecting with.
In this guide, you will learn how to set up a self-signed SSL certificate for use with an Apache web server on an Ubuntu 16.04 server.
Note: A self-signed certificate will encrypt communication between your server and any clients. However, because it is not signed by any of the trusted certificate authorities included with web browsers and operating systems, users cannot use the certificate to validate the identity of your server automatically. As a result, your users will see a security error when visiting your site.
Because of this limitation, self-signed certificates are not appropriate for a production environment serving the public. They are typically used for testing, or for securing non-critical services used by a single user or a small group of users that can establish trust in the certificate’s validity through alternate communication channels.
For a more production-ready certificate solution, check out Let’s Encrypt, a free certificate authority. You can learn how to download and configure a Let’s Encrypt certificate in our How To Secure Apache with Let’s Encrypt on Ubuntu 16.04 tutorial.
Before starting this tutorial, you’ll need the following:
Access to a Ubuntu 16.04 server with a non-root, sudo-enabled user. Our Initial Server Setup with Ubuntu 16.04 guide can show you how to create this account.
You will also need to have Apache installed. You can install Apache using
apt. First, update the local package index to reflect the latest upstream changes:
- sudo apt update
Then, install the
- sudo apt install apache2
And finally, if you have a
ufw firewall set up, open up the
- sudo ufw allow "Apache Full"
After these steps are complete, be sure you are logged in as your non-root user and continue with the tutorial.
Before we can use any SSL certificates, we first have to enable
mod_ssl, an Apache module that provides support for SSL encryption.
mod_ssl with the
- sudo a2enmod ssl
Restart Apache to activate the module:
- sudo systemctl restart apache2
mod_ssl module is now enabled and ready for use.
Now that Apache is ready to use encryption, we can move on to generating a new SSL certificate. The certificate will store some basic information about your site, and will be accompanied by a key file that allows the server to securely handle encrypted data.
We can create the SSL key and certificate files with the
- sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/apache-selfsigned.key -out /etc/ssl/certs/apache-selfsigned.crt
After you enter the command, you will be taken to a prompt where you can enter information about your website. Before we go over that, let’s take a look at what is happening in the command we are issuing:
rsa:2048portion tells it to make an RSA key that is 2048 bits long.
As we stated above, these options will create both a key file and a certificate. We will be asked a few questions about our server in order to embed the information correctly in the certificate.
Fill out the prompts appropriately. The most important line is the one that requests the
Common Name. You need to enter either the hostname you’ll use to access the server by, or the public IP of the server. It’s important that this field matches whatever you’ll put into your browser’s address bar to access the site, as a mismatch will cause more security errors.
The entirety of the prompts will look something like this:
Country Name (2 letter code) [XX]:US State or Province Name (full name) :Example Locality Name (eg, city) [Default City]:Example Organization Name (eg, company) [Default Company Ltd]:Example Inc Organizational Unit Name (eg, section) :Example Dept Common Name (eg, your name or your server's hostname) :your_domain_or_ip Email Address :email@example.com
Both of the files you created will be placed in the appropriate subdirectories of the
Now that we have our self-signed certificate and key available, we need to update our Apache configuration to use them. On Ubuntu, you can place new Apache configuration files (they must end in
/etc/apache2/sites-available/and they will be loaded the next time the Apache process is reloaded or restarted.
For this tutorial we will create a new minimal configuration file. (If you already have an Apache
<Virtualhost> set up and just need to add SSL to it, you will likely need to copy over the configuration lines that start with
SSL, and switch the
VirtualHost port from
443. We will take care of port
80 in the next step.)
Open a new file in the /etc/apache2/sites-available directory:
- sudo nano /etc/apache2/sites-available/your_domain_or_ip.conf
Paste in the following minimal VirtualHost configuration:
<VirtualHost *:443> ServerName your_domain_or_ip DocumentRoot /var/www/your_domain_or_ip SSLEngine on SSLCertificateFile /etc/ssl/certs/apache-selfsigned.crt SSLCertificateKeyFile /etc/ssl/private/apache-selfsigned.key </VirtualHost>
Be sure to update the
ServerName line to however you intend to address your server. This can be a hostname, full domain name, or an IP address. Make sure whatever you choose matches the
Common Name you chose when making the certificate.
The remaining lines specify a
DocumentRoot directory to serve files from, and the SSL options needed to point Apache to our newly-created certificate and key.
Now let’s create our
DocumentRoot and put an HTML file in it just for testing purposes:
- sudo mkdir /var/www/your_domain_or_ip
Open a new
index.html file with your text editor:
- sudo nano /var/www/your_domain_or_ip/index.html
Paste the following into the blank file:
This is not a full HTML file, of course, but browsers are lenient and it will be enough to verify our configuration.
Save and close the file
Next, we need to enable the configuration file with the
- sudo a2ensite your_domain_or_ip.conf
It will prompt you to restart Apache to activate the configuration, but first, let’s test for configuration errors:
- sudo apache2ctl configtest
If everything is successful, you will get a result that looks like this:
OutputAH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message Syntax OK
The first line is a message telling you that the
ServerName directive is not set globally. If you want to get rid of that message, you can set
ServerName to your server’s domain name or IP address in
/etc/apache2/apache2.conf. This is optional as the message will do no harm.
If your output has
Syntax OK in it, your configuration file has no syntax errors. We can safely reload Apache to implement our changes:
- sudo systemctl reload apache2
Now load your site in a browser, being sure to use
https:// at the beginning.
You should see an error. This is normal for a self-signed certificate! The browser is warning you that it can’t verify the identity of the server, because our certificate is not signed by any of its known certificate authorities. For testing purposes and personal use this can be fine. You should be able to click through to advanced or more information and choose to proceed.
After you do so, your browser will load the
it worked! message.
Note: if your browser doesn’t connect at all to the server, make sure your connection isn’t being blocked by a firewall. If you are using
ufw, the following commands will open ports
- sudo ufw allow "Apache Full"
Next we will add another
VirtualHost section to our configuration to serve plain HTTP requests and redirect them to HTTPS.
Currently, our configuration will only respond to HTTPS requests on port
443. It is good practice to also respond on port
80, even if you want to force all traffic to be encrypted. Let’s set up a
VirtualHost to respond to these unencrypted requests and redirect them to HTTPS.
Open the same Apache configuration file we started in previous steps:
- sudo nano /etc/apache2/sites-available/your_domain_or_ip.conf
At the bottom, create another
VirtualHost block to match requests on port
80. Use the
ServerName directive to again match your domain name or IP address. Then, use
Redirect to match any requests and send them to the SSL
VirtualHost. Make sure to include the trailing slash:
<VirtualHost *:80> ServerName your_domain_or_ip Redirect / https://your_domain_or_ip/ </VirtualHost>
Save and close this file when you are finished, then test your configuration syntax again, and reload Apache:
- sudo apachectl configtest
- sudo systemctl reload apache2
You can test the new redirect functionality by visiting your site with plain
http:// in front of the address. You should be redirected to
You have now configured Apache to serve encrypted requests using a self-signed SSL certificate, and to redirect unencrypted HTTP requests to HTTPS.
If you are planning on using SSL for a public website, you should look into purchasing a domain name and using a widely supported certificate authority such as Let’s Encrypt.
For more information on using Let’s Encrypt with Apache, please read our How To Secure Apache with Let’s Encrypt on Ubuntu 16.04 tutorial.
Thanks for learning with the DigitalOcean Community. Check out our offerings for compute, storage, networking, and managed databases.
Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in our Questions & Answers section, find tutorials and tools that will help you grow as a developer and scale your project or business, and subscribe to topics of interest.Sign up now
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
I am getting this kind of error : Could you help to identify the issue ?
Why am I getting the following error?
Great tutorial; lots of details & easy to follow. Probably should mention we can avoid using self-signed certs, and use Let’sEncrypt CA.
Very good. Thank you.
I got an issue, After applying this certificate. My soapclient is stop working. it is throwing error “could not connect to host”. I try to find but nothing helped me. If you guys have any idea about.
Thanks in advance,
When you can’t install or afford trusted certificates from a certificate authority, you may get by with self-signed certificates. Both trusted, and self-signed certificates are the same and use the same protocols… the only difference is, one is trusted by a third party, and the other is not.
When you’re ready, run the commands below to generate the private server key as well as the self-signed SSL/TLS certificate for the chiragpatel.com domain… you’ll be using.
Note: chiragpatel.com is my server name
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/chiragpatel.com.key -out /etc/ssl/certs/chiragpatel.com.crt
After running the commands above, you’ll be prompted to answer a few questions about the certificate you’re generating… answer them and complete the process.
Generating a 2048 bit RSA private key …+++ …+++ writing new private key to ‘mydomain.key’
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.’, the field will be left blank.
Country Name (2 letter code) [AU]:IN State or Province Name (full name) [Some-State]:Gujarat Locality Name (eg, city) :Vadodara Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example Company Organizational Unit Name (eg, section) :SSL Unit Common Name (e.g. server FQDN or YOUR name) :chiragpatel.com Email Address :<email removed by mod>
Please enter the following ‘extra’ attributes to be sent with your certificate request A challenge password : LEAVE BLANK An optional company name :
I followed the steps on “How To Serve Django Applications with Apache and mod_wsgi on Ubuntu 16.04”
That directed me here. I followed the steps here. The https part was working, but I was getting the Apache2 default “It works!” page, not my Django app. I finally got my Django app to show up by moving the directory and WSGI lines from 000-default.conf to default-ssl.conf
Hi, you can check up my video where I show in 10 minutes or so how to setup a free multidomain ssl certificate with certbot on ubuntu.
Happy to contribute to the DO community,
All the best,
José from France
A remark on ssl-params.conf.
If your using wordpress you got problems with X-frame which is used by some plugins. It cost me a couple of hours to find out how to correct this.
Change the line:
in Header set X-Frame-Options: “sameorigin”
or Header always set X-Frame-Options "allow-from https://<wordpress site>/
Btw A great tutorial. Thank you for that.
Hello, Thanks for making this documentation. I’m able to do the Self Signed SSL to Apache and able to access like https://123.456.12.43, it is showing tomcat server. But https is not working when i try along with port or application like https://123.456.12.43:8080 or https://123.456.12.43:8080/sample-application/ We have placed our application in the /sample-application directory.
Appreciate if any quick help or suggestions. Thank you very much.