Create a OpenSSL, wildcard self-signed certificate to use for your private website on Apache2

I know, I know.. You have already gone the whole internet and still haven’t found those few steps that helps you build a correct certificate to use for your own Webserver.
You reached the right place! I show you how to setup a certificate with a strong encryption and how to import it in your Apache2’s vHost’s conf. file.

First, make sure that your Apache2’s ssl conf is using strong encryption:
cat /etc/apache2/mods-enabled/ssl.conf

  SSLCipherSuite HIGH:!aNULL
  SSLProtocol all -SSLv3

If you can read these rows (they are not close each other), you are probably running (as of January 2018) with the latest ssl. Good.

Move to the folder where you wish to store the certificates:

mkdir -p /etc/apache/ssl/test.mycompany.local
cd /etc/apache/ssl/test.mycompany.local

Generating the certs:

openssl genrsa 4096 > host.key
openssl req -new -x509 -nodes -sha256 -days 3650 -key host.key > host.cert

The CN is the name you will use for Apache2 vHost, give it the name you will use on ServerName:
*.domain3.domain.2.domain.1 -> *.test.mycompany.local

This is all you need to create a key file and its certificate.
Do you also want to pack both into a sigle .pem file?

openssl x509 -noout -fingerprint -text < host.cert >
cat host.cert host.key > host.pem

Remember to protect the certificate:
The directory permissions should be 700;
The file permissions 600;
They all should be owned by root;

chown -R root:root /etc/apache/ssl/test.mycompany.local
chmod 0700 /etc/apache/ssl/test.mycompany.local
chmod 0600 /etc/apache/ssl/test.mycompany.local/*


<VirtualHost *:2020>
        ServerName vm1.test.mycompany.local

        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/vm1
        # trace8, if you want to only read logs about the certificate
        # usually, you can leave this to the standard:
        #LogLevel info ssl:warn
        LogLevel trace8 ssl:trace8
        SSLEngine On
        SSLCertificateFile /etc/apache2/ssl/test.mycompany.local/host.cert
        SSLCertificateKeyFile /etc/apache2/ssl/test.mycompany.local/host.key

        ErrorLog ${APACHE_LOG_DIR}/server.error.log
        CustomLog ${APACHE_LOG_DIR}/server.access.log combined

This is how you activate the certificate in your vHost, and for activating the new configuration:

cd /etc/apache2/sites-enabled
ln -s ../sites-available/website.conf ./website.conf

You probably have noticed that I changed the common 443 port for HTTPS, with a non classical 2020.

I think you should be familiar with how to manage this configuration, so, in order to enable SSL on port 2020, edit the file ports.conf:

Make a backup, always:

cd /etc/apache
cp ports.conf ports.conf.30012018

Now you can edit ports.conf:

# If you just change the port or add more ports here, you will likely also
# have to change the VirtualHost statement in
# /etc/apache2/sites-enabled/000-default.conf

<IfModule ssl_module>
#       Listen 443
        Listen 2020

<IfModule mod_gnutls.c>
#       Listen 443
        Listen 2020

This is all, restart Apache2 and you’re done!