As we’ve seen in the blog post Website SSL and HTTPS Explained, to encrypt HTTP traffic and access your website over HTTPS you need an SSL web server certificate. If you do not have the budget for an SSL web server certificate from a trusted certification authority such as Thawte, a self signed SSL certificate is most probably the best solution for non publicly accessible sections of your WordPress blog or website, such as the wp-admin section or WordPress dashboard.
WP White Security Tip: If your visitors have to submit sensitive information through your website, then you have to purchase an SSL web server certificate from a trusted authority such as Thawte.
In this tutorial blog post we will explain how to generate a self signed web server SSL certificate and install it on an Apache web server.
Steps to Generate Self Signed SSL Certificate for Apache Web Server
For this tutorial it is presumed that the below components are installed on the server where your WordPress is installed and you are familiar with the Linux operating system. If they are not installed or you are not familiar with linux, please consult with your hosting provider or with a professional:
mod_ssl: An Apache module that is used to provide cryptography for Apache web servers. In simple words, it is the module that allows you to run websites on HTTPS.
Openssl: The application which we will be using to generate private keys, certificate requests and the actual SSL web server certificate.
Step 1: Generate Private Key
The first step of generating a self signed SSL certificate for Apache is to generate a private key. The private key will be used to generate a certificate signing request in step 2, i.e. to request the SSL web server certificate. To generate a private key using the openssl tool use the following command:
Openssl genrsa –out ca.key 1024
The above openssl command is explained below:
- genrsa means generate a private key.
- -out is used to specify the output file name. In this case the private key is called ca.key.
- 1024 is the length of the key in bits. The longer the key is, the more difficult it is to break.
Step 2: Generate Certificate Request File
In this step, we will generate the certificate request file, i.e. a file which contains all the details about the SSL certificate we want for our web server.
If you are going for a paid SSL web server certificate from a trusted certificate authority, this is the file that a certificate authority needs to issue an official SSL certificate. To generate a certificate request file use the below command:
Openssl req –new –key ca.key –out ca.csr
Once this command is issued, you will be asked to specify the following:
- Country Name in 2 letter ISO 3166-2 code. List of all country codes can be found here.
- State or province in a non abbreviated format
- Full locality Name (town, city etc)
- Full Business Name
- Department / Organizational Unit e.g. Admin department
- Distinguished Name (DN). This should be the fully qualified domain name you wish to secure
- Email Address. This email address should be the contact of the organization, typically the systems administrator.
Once all of the above are specified, the signing certificate request, i.e. the csr file is generated. Below is a screenshot of how the CSR request is generated when using the openssl tool.
Step 3: Generate the Self Signed Certificate
Once the certificate request is ready, it is time to generate the actual certificate. To do so, use the below command:
Openssl x509 –req –days 365 –in ca.csr –signkey ca.key –out ca.crt
With the above command we are requesting (-req) an x509 standard SSL certificate, which expires in 365 days (-days 365) and signed with the private key ca.key (-signkey ca.key). The certificate request is called ca.csr (-in ca.csr) and the SSL web server certificate should be called ca.crt (-out ca.crt). Below is a screenshot of a successful generation of a self signed SSL web server certificate.
Configure Apache Web Server to Run on SSL (HTTPS)
Once we have the private key and web server SSL certificate in hand, we are ready for the last step; configure the Apache web server.
Note: The configuration and SSL web server certificates file paths specified in the below documentation are based on the generic configuration guideline of Apache. Such information might vary depending on the distribution of Linux / Unix you are running. For more specific information on how to configure SSL web server certificates and Apache on your Linux distribution, refer to your distribution documentation.
Copy the private key (*.key) and the SSL certificate (*.crt) to a location which the web server has access to, typically /etc/ssl/crt/ or on CentOS /etc/pki/tls/certs/. Then, open the file ssl.conf, which is typically found in /etc/httpd/conf.d/ and add, or uncomment the following:
SSLEngine on SSLCertificateFile /path/to/crt/primary.crt SSLCertificateKeyFile /path/to/key/private.key
If you do not have the ssl.conf file, you can also add the following to the Apache configuration file httpd.conf virtual hosts section. Before doing such changes check what are the recommendations of configuring SSL on Apache for the flavour of Linux you are running. :
DocumentRoot /var/www/WPWhiteSecurity ServerName www.wpwhitesecurity.com SSLEngine on SSLCertificateFile /path/to/cert/ca.crt SSLCertificateKeyFile /path/to/key/ca.key
Access your WordPress Wp-admin via HTTPS
Once you are ready, reload the Apache configuration and now you can access your website via HTTPS. Since the SSL certificate is a self-signed certificate and it has not been issued by a trusted certificate authority, you will get the below notification when trying to access the website.