Certificate Depot

Guides

Home › Guides › Apache

Self-Signed SSL Certificate for Apache HTTP Server

Configure Apache to serve HTTPS using a self-signed certificate.

Apache HTTP Server uses mod_ssl for HTTPS. Once the module is enabled, serving a self-signed certificate is just three config directives and a reload.

Step 1: Generate the Certificate

Use cert-depot.com for a browser-friendly cert with Subject Alternative Names, or generate one with OpenSSL:

openssl req -x509 -newkey rsa:2048 -nodes \
  -keyout server.key -out server.crt -days 365 \
  -subj "/CN=example.local" \
  -addext "subjectAltName=DNS:example.local,IP:127.0.0.1"

Step 2: Enable mod_ssl

On Debian/Ubuntu:

sudo a2enmod ssl
sudo a2ensite default-ssl

On RHEL/CentOS, install it if it's not already present:

sudo dnf install mod_ssl

Step 3: Install the Certificate Files

sudo mkdir -p /etc/apache2/ssl  # or /etc/httpd/conf.d/ssl on RHEL
sudo cp server.crt /etc/apache2/ssl/
sudo cp server.key /etc/apache2/ssl/
sudo chmod 600 /etc/apache2/ssl/server.key

Step 4: Configure the VirtualHost

Edit /etc/apache2/sites-available/default-ssl.conf (Debian/Ubuntu) or /etc/httpd/conf.d/ssl.conf (RHEL):

<VirtualHost *:443>
    ServerName example.local
    DocumentRoot /var/www/html

    SSLEngine on
    SSLCertificateFile    /etc/apache2/ssl/server.crt
    SSLCertificateKeyFile /etc/apache2/ssl/server.key

    SSLProtocol -all +TLSv1.2 +TLSv1.3
    SSLCipherSuite HIGH:!aNULL:!MD5
</VirtualHost>
Tip: If you need HTTP to redirect to HTTPS, add a <VirtualHost *:80> block with Redirect permanent / https://example.local/.

Step 5: Test and Reload

sudo apachectl configtest
sudo systemctl reload apache2  # or httpd on RHEL

Verify with curl -kvI https://example.local/ — you should see the TLS handshake succeed and the certificate details.

Troubleshooting

"SSL Library Error: Unable to load private key"

Wrong file permissions or the key is password-protected. Use -nodes when generating with OpenSSL to produce an unencrypted key (safe for development only).

"AH00526: Syntax error"

Run apachectl configtest — it will point to the exact line. Usually a missing closing tag or typo in a file path.

Chrome shows ERR_CERT_COMMON_NAME_INVALID

Your certificate is missing a Subject Alternative Name. Regenerate it with the -addext "subjectAltName=..." flag, or use our generator which includes SANs automatically.

Need a self-signed certificate? Use our free generator — browser-compatible SANs, RSA or ECDSA, ZIP or PFX. No signup, no ads, keys never stored.

Further Reading