Looking as if I’ll be using some self-signed certs for development purposes (and perhaps for some online game work) so I’m going to write up the process to keep it readily accessible here.
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/apache-selfsigned.key -out /etc/ssl/certs/apache-selfsigned.crt
- In
/etc/apache2/conf-available
createssl-params.conf
use
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On
# Disable preloading HSTS for now. You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
# Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
# Requires Apache >= 2.4
SSLCompression off
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
# Requires Apache >= 2.4.11
SSLSessionTickets Off
sudo cp /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-available/default-ssl.conf.bak
sudo emacs /etc/apache2/sites-available/default-ssl.conf
- Edited
/etc/apache2/sites-available/default-ssl.conf
to enable the new cert and to updateServerAdmin
and addServerName
- Did not set redirect at
/etc/apache2/sites-available/000-default.conf
as I expect this dev machine to respond to either http or https requests. - Firewall checks and updates:
sudo ufw app list
sudo ufw status
sudo ufw allow 'Apache Full'
sudo ufw enable - Enable appropriate apache modules
sudo a2enmod ssl
sudo a2enmod headers - and perhaps virtual hosts
sudo a2ensite default-ssl
sudo a2enconf ssl-params
sudo apache2ctl configtest
sudo systemctl restart apache2