How to Secure Apache with a Self-Signed SSL Certificate on FreeBSD 12
In today’s digital landscape, encrypting web traffic is non-negotiable. Using the HTTPS protocol not only protects your users’ data but also builds trust and can improve your search engine ranking. While public-facing websites require a certificate from a trusted Certificate Authority (CA), there are many scenarios—such as development environments, testing servers, or internal-only applications—where a self-signed SSL certificate is a practical and cost-effective solution.
This guide provides a comprehensive, step-by-step walkthrough for installing the Apache web server on FreeBSD 12 and securing it with a self-signed SSL certificate.
Prerequisites
Before we begin, ensure you have:
- A running instance of FreeBSD 12.
- Root or
sudoaccess to the server. - Basic familiarity with the command line interface.
Step 1: Update Your System and Install Apache
It is always a best practice to start with an up-to-date system. This ensures you have the latest security patches and package versions. Open your terminal and run the following commands to update your package repository and upgrade installed packages:
pkg update && pkg upgrade -y
Once your system is updated, you can install the Apache web server. The package in the FreeBSD repository is typically named apache24.
pkg install apache24
The package manager will handle all necessary dependencies for you.
Step 2: Enable and Start the Apache Service
After installation, the Apache service is not enabled or started by default. You need to configure it to launch at boot time. The easiest way to do this on FreeBSD is by using the sysrc command, which safely edits the /etc/rc.conf file.
Enable the Apache service:
sysrc apache24_enable=YES
Now, you can start the Apache service for the first time:
service apache24 start
To confirm that Apache is running correctly, open a web browser and navigate to your server’s IP address (http://your_server_ip). You should see the default Apache “It works!” page.
Step 3: Generating Your Self-Signed SSL Certificate
This is the core step where we create the certificate and the private key that will encrypt the traffic. We will use the powerful OpenSSL toolkit, which is included with the FreeBSD base system.
Execute the following command to generate both a private key (server.key) and a certificate (server.crt) at once:
openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /usr/local/etc/apache24/server.key -out /usr/local/etc/apache24/server.crt
Let’s break down this command:
req -x509: Specifies that we want to create a self-signed certificate (X.509 standard).-nodes: “No DES,” meaning the private key will not be encrypted with a passphrase. This allows Apache to restart automatically without requiring manual input.-days 3650: Sets the certificate’s validity period. We’ve set it to 10 years, which is suitable for a long-term development or internal server.-newkey rsa:2048: Creates a new 2048-bit RSA private key.-keyout: Specifies the output file for the private key.-out: Specifies the output file for the certificate.
You will be prompted to enter information for the certificate. For a self-signed certificate, these details are not critically important, but the Common Name (CN) is.
You should set the Common Name to your server’s IP address or fully qualified domain name (e.g., dev.yourdomain.com).
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:California
Locality Name (eg, city) []:San Francisco
Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Dev Company
Organizational Unit Name (eg, section) []:IT Department
Common Name (e.g. server FQDN or YOUR name) []:your_server_ip_or_domain
Email Address []:[email protected]
After you’ve generated the files, it’s crucial to secure the private key so that only the root user can read it.
chmod 600 /usr/local/etc/apache24/server.key
Step 4: Configuring Apache to Use SSL
Now we need to tell Apache to enable SSL and use the new certificate and key. This involves editing the main Apache configuration file, httpd.conf.
Open the file with your preferred editor:
ee /usr/local/etc/apache24/httpd.conf
First, enable the necessary modules. Find and uncomment the following lines (remove the # at the beginning):
LoadModule ssl_module libexec/apache24/mod_ssl.so
LoadModule socache_shmcb_module libexec/apache24/mod_socache_shmcb.so
Next, include the SSL configuration file. Find and uncomment this line to activate the dedicated SSL settings:
Include etc/apache24/extra/httpd-ssl.conf
Save and close the httpd.conf file.
Now, we must edit the SSL configuration file to point to our new certificate.
ee /usr/local/etc/apache24/extra/httpd-ssl.conf
Inside this file, you need to verify and/or change the following directives:
SSLCertificateFile: This must point to your certificate file.SSLCertificateKeyFile: This must point to your private key file.ServerName: Set this to the same value you used for the Common Name.
Update the file to reflect these paths:
SSLCertificateFile "/usr/local/etc/apache24/server.crt"
SSLCertificateKeyFile "/usr/local/etc/apache24/server.key"
ServerName your_server_ip_or_domain:443
Save and exit the editor.
Step 5: Finalizing and Testing Your Secure Server
Before restarting Apache with the new configuration, it’s wise to test it for syntax errors.
apachectl configtest
If you see “Syntax OK”, you are ready to proceed. If there are errors, the output will tell you which file and line number to check.
Finally, restart the Apache service to apply all the changes:
service apache24 restart
To complete the setup, ensure your firewall allows HTTPS traffic. If you are using FreeBSD’s default pf firewall, you would add the following rule to your /etc/pf.conf file to allow traffic on ports 80 (HTTP) and 443 (HTTPS):
pass in on vtnet0 proto tcp from any to any port { 80, 443 }
(Replace vtnet0 with your server’s network interface)
Verifying Your Setup
Open your web browser and navigate to https://your_server_ip_or_domain. You will see a security warning stating that the certificate is not trusted. This is expected and normal. Because the certificate was signed by your own server, not a trusted third-party CA, browsers cannot validate it.
Simply accept the security risk and proceed to the site. You will see the “It works!” page, and your connection will be encrypted, indicated by a padlock icon in the address bar.
Conclusion: When to Use a Self-Signed Certificate
You have successfully installed and configured an Apache web server on FreeBSD 12, secured with a self-signed SSL certificate. This setup is ideal for internal networks, development environments, and personal projects where full public trust is not required.
Crucially, never use a self-signed certificate for a public-facing production website. For live sites that handle user data, always obtain a free certificate from a trusted authority like Let’s Encrypt or purchase one from a commercial CA.
Source: https://kifarunix.com/install-apache-with-self-signed-certificate-on-freebsd-12/
