#Self Signing a Cert in Debian Jessie with apache2 Source https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-apache-in-ubuntu-16-04 Amend days as required eg 1825 for 5 yrs
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/apache-selfsigned.key -out /etc/ssl/certs/apache-selfsigned.crt _ This takes ages_ openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048 vim /etc/apache2/conf-available/ssl-params.conf include this in ssl-params:
#from https://cipherli.st/
#and https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html_
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
Requires Apache >= 2.4
SSLCompression off
SSLSessionTickets Off
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem"
Backup this:
cp /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-available/default-ssl.conf.bak
vim /etc/apache2/sites-available/default-ssl.confSort these out: ServerAdmin [email protected] ServerName server_domain_or_IP and SSLCertificateFile /etc/ssl/certs/apache-selfsigned.crt SSLCertificateKeyFile /etc/ssl/private/apache-selfsigned.key Test
apache2ctl configtestPermanent redirect from http to https:
vim /etc/apache2/sites-available/000-default.conf<VirtualHost *:80>
. . .
Redirect permanent "/" "https://your_domain_or_IP"
. . .
</VirtualHost>All done!
Alternatively to the above, public certs are available: https://certbot.eff.org/#debianjessie-apache