Generate a Self Signed SSL Certificate for HTTPS on Apache

Last updated on June 02nd, 2019 by Robert Abela. Filed under WordPress Security

As we’ve seen in the blog post Website SSL and HTTPS Explained, to encrypt HTTP traffic and access your website over HTTPS you need an SSL web server certificate. If you do not have the budget for an SSL web server certificate from a trusted certification authority such as Thawte, a self signed SSL certificate is most probably the best solution for non publicly accessible sections of your WordPress blog or website, such as the wp-admin section or WordPress dashboard.

WP White Security Tip: If your visitors have to submit sensitive information through your website, then you have to purchase an SSL web server certificate from a trusted authority such as Thawte.

In this tutorial blog post we will explain how to generate a self signed web server SSL certificate and install it on an Apache web server.

Steps to Generate Self Signed SSL Certificate for Apache Web Server

For this tutorial it is presumed that the below components are installed on the server where your WordPress is installed and you are familiar with the Linux operating system. If they are not installed or you are not familiar with linux, please consult with your hosting provider or with a professional:

mod_ssl: An Apache module that is used to provide cryptography for Apache web servers. In simple words, it is the module that allows you to run websites on HTTPS.

Openssl: The application which we will be using to generate private keys, certificate requests and the actual SSL web server certificate.

Step 1: Generate Private Key

The first step of generating a self signed SSL certificate for Apache is to generate a private key. The private key will be used to generate a certificate signing request in step 2, i.e. to request the SSL web server certificate. To generate a private key using the openssl tool use the following command:

Openssl genrsa –out ca.key 1024

The above openssl command is explained below:

  • genrsa means generate a private key.
  • -out is used to specify the output file name. In this case the private key is called ca.key.
  • 1024 is the length of the key in bits. The longer the key is, the more difficult it is to break.

Step 2: Generate Certificate Request File

In this step, we will generate the certificate request file, i.e. a file which contains all the details about the SSL certificate we want for our web server.

If you are going for a paid SSL web server certificate from a trusted certificate authority, this is the file that a certificate authority needs to issue an official SSL certificate. To generate a certificate request file use the below command:

Openssl req –new –key ca.key –out ca.csr

Once this command is issued, you will be asked to specify the following:

  • Country Name in 2 letter ISO 3166-2 code. List of all country codes can be found here.
  • State or province in a non abbreviated format
  • Full locality Name (town, city etc)
  • Full Business Name
  • Department / Organizational Unit e.g. Admin department
  • Distinguished Name (DN). This should be the fully qualified domain name you wish to secure
  • Email Address. This email address should be the contact of the organization, typically the systems administrator.

Once all of the above are specified, the signing certificate request, i.e. the csr file is generated. Below is a screenshot of how the CSR request is generated when using the openssl tool.

generating a certificate signing request

Step 3: Generate the Self Signed Certificate

Once the certificate request is ready, it is time to generate the actual certificate. To do so, use the below command:

Openssl x509 –req –days 365 –in ca.csr –signkey ca.key –out ca.crt

With the above command we are requesting (-req) an x509 standard SSL certificate, which expires in 365 days (-days 365) and signed with the private key ca.key (-signkey ca.key). The certificate request is called ca.csr (-in ca.csr) and the SSL web server certificate should be called ca.crt (-out ca.crt). Below is a screenshot of a successful generation of a self signed SSL web server certificate.

self signed ssl web certificate for apache web server successfully generated

Configure Apache Web Server to Run on SSL (HTTPS)

Once we have the private key and web server SSL certificate in hand, we are ready for the last step; configure the Apache web server.

Note: The configuration and SSL web server certificates file paths specified in the below documentation are based on the generic configuration guideline of Apache. Such information might vary depending on the distribution of Linux / Unix you are running. For more specific information on how to configure SSL web server certificates and Apache on your Linux distribution, refer to your distribution documentation.

Copy the private key (*.key) and the SSL certificate (*.crt) to a location which the web server has access to, typically /etc/ssl/crt/ or on CentOS /etc/pki/tls/certs/. Then, open the file ssl.conf, which is typically found in /etc/httpd/conf.d/ and add, or uncomment the following:

SSLEngine on
SSLCertificateFile /path/to/crt/primary.crt
SSLCertificateKeyFile /path/to/key/private.key

If you do not have the ssl.conf file, you can also add the following to the Apache configuration file httpd.conf virtual hosts section. Before doing such changes check what are the recommendations of configuring SSL on Apache for the flavour of Linux you are running. :


DocumentRoot /var/www/WPWhiteSecurity
ServerName www.wpwhitesecurity.com
SSLEngine on
SSLCertificateFile /path/to/cert/ca.crt
SSLCertificateKeyFile /path/to/key/ca.key

Access your WordPress Wp-admin via HTTPS

Once you are ready, reload the Apache configuration and now you can access your website via HTTPS. Since the SSL certificate is a self-signed certificate and it has not been issued by a trusted certificate authority, you will get the below notification when trying to access the website.

web browser warning because remote ssl website certificate is not trusted

WordPress Hosting, Firewall and Backup

This Website is:

4 comments

Raha 08/06/2014

Hi
thanks for sharing this artcle
I enabled my https in wordpress with wordpress https ssl plugins
about 2 days ago
but all time my users want to load my website it give them this notification and the https is in red color crossed
please help me how can I remove this notification
does it posible to remove this notification ?
thanks
regards :
Raha

Robert Abela 08/06/2014

Hi Raha,

Can you please let us know what is the error in the notification? There are many reasons why a notification is showing and if you send us the exact error statement that is showing, we will be able to help you. Do you have a URL we can access to see the notification ourselves?

Sylvain 22/05/2019

Hi,

Thanks for sharing and very usefull post !

I have following error when I connect with chrome on my dev environment (Apache 2.4, Debian 9.6, VirtualBox 5.2)

Message is :
Le site http://www.xxx.dev est actuellement inaccessible, car il utilise la technologie HSTS

Do you know how to bypass this HTTP Strict-Transport-Security layer ?

Thx for response.

Regards,
Sylvain.

Robert Abela 27/05/2019

Sorry but I do not understand French. However a quick Google search for such error returned a lot of results with suggestions of how to enable HSTS on Apache etc. I recommend you to start from there.

Leave a Reply

Your email address will not be published. Required fields are marked *