Saturday, October 29, 2016

How to create and activate SSL self-signed certificate in Ubuntu 16.04/14.04

When running server with critical applications which involves credit card transactions,data transfer and logins, security is first thing you should put in mind, this lab is going to show you how to install self-signed certificate from scratch, the certificate will ensure secure connection between your server and clients.
To create and apply certificate follow simple steps below:

1. Update your system and install Apache
This step assumes that the server is new and apache is not yet installed, if already installed move to step 2
sudo su 
apt-get update
apt-get install apache2

To test if your apache is well installed, open your server IP/hostname on your browser and you you will see APACHE2 UBUNTU DEFAULT PAGE, otherwise restart apache,

 /etc/init.d/apache2 restart

2. Create the certificate
Run below command to create your certificate
mkdir /etc/apache2/ssl
openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt

This certificate will be valid for 10 years, but if you want the certificate to be valid for few years change the value 3650 by indicating how many days the certificate to be valid.

After running second command above it will ask you to provide information about your company, below is example

What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:TZ
State or Province Name (full name) [Some-State]:ARUSHA
Locality Name (eg, city) []:ARUSHA
Organization Name (eg, company) [Internet Widgits Pty Ltd]:JARASYOLA LTD
Organizational Unit Name (eg, section) []:ICT
Common Name (e.g. server FQDN or YOUR name) []
Email Address []

Now the certificate is created.

3. Configure Apache

a. Make sure that mod_rewrite, mod_ssl,  and the default SSL virtual host is enabled - you'll need these line items to be able to force visitors to use HTTPS.

a2enmod rewrite ssl
a2ensite default-ssl

b. The key must not be password protected, and it must be locked down such that only the root user can read it,
chmod 600 /etc/apache2/ssl/apache.key

c. Configure Apache to read new certificates
Change these lines in /etc/apache2/sites-enabled/default-ssl.conf, open the file

vim /etc/apache2/sites-enabled/default-ssl.conf
 and change:

SSLCertificateFile      /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
SSLCertificateFile  /etc/apache2/ssl/apache.crt
SSLCertificateKeyFile /etc/apache2/ssl/apache.key

d. Add the following in /etc/apache2/sites-available/000-default.conf

        <Directory "/var/www/html">

            Options FollowSymLinks

            AllowOverride All


This assumes /var/www/html is your document root. e. Restart Apache

/etc/init.d/apache2 restart

4. Push visitors to HTTPS

Now as you certificate is installed and apply, to push visitors to HTTPS, put something similar to the following snippet into /var/www/html/.htaccess

RewriteEngine On
# Redirect all HTTP traffic to HTTPS.
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://SERVERHOSTNAME/IPADDRESS/$1 [R,L]

Change SERVERHOSTNAME/IPADDRESS to actual server hostname/ip address.

Now your server is secure and all your traffic from your server to browser (client) is encrypted.