Create a Self Signed Certificate

Looking as if I’ll be using some self-signed certs for development purposes (and perhaps for some online game work) so I’m going to write up the process to keep it readily accessible here.

  • sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/apache-selfsigned.key -out /etc/ssl/certs/apache-selfsigned.crt
  • In /etc/apache2/conf-available create ssl-params.conf
    use
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On
# Disable preloading HSTS for now.  You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
# Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
# Requires Apache >= 2.4
SSLCompression off
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
# Requires Apache >= 2.4.11
SSLSessionTickets Off

  • sudo cp /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-available/default-ssl.conf.bak
  • sudo emacs /etc/apache2/sites-available/default-ssl.conf
  • Edited /etc/apache2/sites-available/default-ssl.conf to enable the new cert and to update ServerAdmin and add ServerName
  • Did not set redirect at
    /etc/apache2/sites-available/000-default.conf
    as I expect this dev machine to respond to either http or https requests.
  • Firewall checks and updates:
    sudo ufw app list
    sudo ufw status
    sudo ufw allow 'Apache Full'
    sudo ufw enable
  • Enable appropriate apache modules
    sudo a2enmod ssl
    sudo a2enmod headers
  • and perhaps virtual hosts
    sudo a2ensite default-ssl
    sudo a2enconf ssl-params
    sudo apache2ctl configtest
    sudo systemctl restart apache2

Engineering execution and creativity mixed for the best results…