Many Linux users run into this situation when setting up a new website or web app, as they want HTTPS working right away, even before getting a real trusted certificate.
A self-signed certificate encrypts the connection, but browsers will still show a warning because the certificate is not signed by a trusted authority, which is normal and does not mean the connection is unsafe.
The traffic is still encrypted with TLS from end to end, but the only difference is that the browser cannot verify the server’s identity through a trusted third party.
If your website is public, it’s better to use Let’s Encrypt with Certbot, which is free, trusted by browsers, and can automatically renew certificates every 90 days, but self-signed certificates are mainly useful for private environments where you control access and only need encryption.
This guide shows how to set up a self-signed SSL certificate on Ubuntu 26.04, including installing Apache, creating an SSL certificate with a Subject Alternative Name (required by modern browsers), configuring an Apache virtual host for a domain, and allowing HTTPS through the firewall.
Prerequisites
Before you start, make sure you have the following in place:
- A server running Ubuntu 26.04 LTS with a sudo-enabled user.
- A domain name pointed to your server’s IP address (the guide uses
store.tecmint.comas the example). - Root or sudo access to install packages and edit Apache configuration files.
Step 1: Install Apache on Ubuntu 26.04
Start by updating the package index so your system downloads the latest available package versions, then install Apache.
sudo apt update sudo apt install apache2 -y
After the installation completes, start the Apache service and enable it to start automatically whenever the server boots.
sudo systemctl start apache2 sudo systemctl enable apache2
Next, check that Apache is running correctly before continuing.
sudo systemctl status apache2
The active (running) line confirms that Apache is working properly, but if you see inactive (dead) or failed, try starting the service again:
sudo systemctl start apache2
If Apache still does not start, check the detailed error logs with:
journalctl -xe
Step 2: Enable mod_ssl and mod_headers
Apache on Ubuntu 26.04 includes the mod_ssl module by default, but it is not enabled automatically, so you need to enable mod_ssl to use HTTPS and mod_headers to add security-related HTTP headers.
Enable both modules with the following commands:
sudo a2enmod ssl sudo a2enmod headers
After enabling the modules, restart Apache so the changes take effect.
sudo systemctl restart apache2
You can verify that the modules are loaded by running:
sudo apache2ctl -M | grep -E 'ssl|headers'
You should see output similar to this:
headers_module (shared) ssl_module (shared)
This confirms that both SSL and header support are active in Apache.
Step 3: Generate the Self-Signed SSL Certificate
Ubuntu 26.04 already includes OpenSSL, so you can generate the private key and self-signed certificate with a single command.
Modern browsers such as Chrome and Firefox require a Subject Alternative Name (SAN) in the certificate. Without it, the browser may show errors like NET::ERR_CERT_COMMON_NAME_INVALID and block the connection.
First, create a directory to store the SSL certificate and private key files for your domain.
sudo mkdir -p /etc/ssl/store.tecmint.com
Next, generate the self-signed certificate, but make sure to replace store.tecmint.com with your own domain name or server hostname.
sudo openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout /etc/ssl/store.tecmint.com/apache.key -out /etc/ssl/store.tecmint.com/apache.crt -subj "/C=IN/ST=Maharashtra/L=Mumbai/O=LinuxApp/OU=IT/CN=store.tecmint.com" -addext "subjectAltName=DNS:store.tecmint.com,DNS:www.store.tecmint.com"
Here’s what the important options mean:
-x509creates a self-signed certificate instead of a certificate signing request (CSR).-nodesprevents the private key from being encrypted with a password, which allows Apache to start automatically after reboot.-days 365makes the certificate valid for one year.-newkey rsa:4096creates a new 4096-bit RSA private key.-keyoutsets the location for the private key file.-outsets the location for the certificate file.-subjfills in the certificate details automatically so you do not need to answer prompts manually.-addext "subjectAltName=..."adds the SAN field required by modern browsers.
During the process, OpenSSL displays random characters while generating the key:
If you do not see any errors, the certificate and private key were created successfully, but for security reasons, limit access to the private key so only the root user can read it.
sudo chmod 600 /etc/ssl/store.tecmint.com/apache.key
You can confirm the files were created with:
ls -l /etc/ssl/store.tecmint.com/
Example output:
total 8 -rw-r--r-- 1 root root 2130 May 26 12:33 apache.crt -rw------- 1 root root 3272 May 26 12:33 apache.key
The apache.key file should show 600 permissions (rw-------), which means only the root user can access it.
Step 4: Create the Apache Virtual Host for HTTPS
Now you need to configure Apache so it knows how to serve your site over both HTTP and HTTPS, so start by creating a new virtual host configuration file for store.tecmint.com.
sudo nano /etc/apache2/sites-available/store.tecmint.com-ssl.conf
Inside the file, paste the following configuration that includes a redirect from HTTP (port 80) to HTTPS, and a secure HTTPS virtual host on port 443.
<VirtualHost *:80>
ServerName store.tecmint.com
ServerAlias www.store.tecmint.com
Redirect permanent / https://store.tecmint.com/
</VirtualHost>
<VirtualHost *:443>
ServerName store.tecmint.com
ServerAlias www.store.tecmint.com
DocumentRoot /var/www/store.tecmint.com
SSLEngine on
SSLCertificateFile /etc/ssl/store.tecmint.com/apache.crt
SSLCertificateKeyFile /etc/ssl/store.tecmint.com/apache.key
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder off
SSLSessionTickets off
Header always set Strict-Transport-Security "max-age=63072000"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
ErrorLog ${APACHE_LOG_DIR}/store.tecmint.com-error.log
CustomLog ${APACHE_LOG_DIR}/store.tecmint.com-access.log combined
</VirtualHost>
Save and exit the editor using Ctrl + O, press Enter, then Ctrl + X.
A quick note on the security settings:
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1disables outdated and insecure protocols.SSLCipherSuitelimits connections to modern encryption ciphers that support forward secrecy, which helps protect past traffic even if a key is compromised.- Security headers like
Strict-Transport-Security,X-Frame-Options, andX-Content-Type-Optionshelp protect against common browser-based attacks.
Next, create the document root directory for your website and add a simple test page so you can verify everything is working.
sudo mkdir -p /var/www/store.tecmint.com echo "<h1>store.tecmint.com is live over HTTPS</h1>" | sudo tee /var/www/store.tecmint.com/index.html
Once this is done, the site is ready to be enabled and tested in the next step.
Step 5: Enable the Site and Test the Configuration
Now that your virtual host file is ready, you need to enable it in Apache using a2ensite to activate the new configuration:
sudo a2ensite store.tecmint.com-ssl.conf
Example output:
Enabling site store.tecmint.com-ssl. To activate the new configuration, you need to run: systemctl reload apache2
Before restarting or reloading Apache, always check the configuration for errors, which helps you avoid breaking the web server due to small mistakes.
sudo apache2ctl configtest
If everything is correct, you should see:
Syntax OK
If you see anything other than Syntax OK, it means there is a configuration issue and common problems include:
- A missing
>in a<VirtualHost>block. - Incorrect file paths in
SSLCertificateFileorSSLCertificateKeyFile. - Typos in module names or directives.
Open the file again and fix the error before continuing.
Finally, reload Apache to apply the new site configuration without fully stopping the service:
sudo systemctl reload apache2
Step 6: Open Port 443 in UFW
If UFW (Uncomplicated Firewall) is enabled on your server, HTTPS traffic on port 443 will be blocked by default, so you need to allow both HTTP and HTTPS traffic.
The easiest way is to enable the Apache Full profile, which opens both port 80 (HTTP) and port 443 (HTTPS).
sudo ufw allow 'Apache Full'
Example output:
Rule added Rule added (v6)
At this point, the site should be active and you can now open your browser and test:
https://store.tecmint.com
You will likely see a browser warning because this is a self-signed certificate, which is expected behavior, and you can safely proceed for testing purposes.
Conclusion
You now have Apache running on Ubuntu 26.04 with a self-signed SSL certificate, a working HTTPS virtual host for store.tecmint.com, an automatic HTTP-to-HTTPS redirect, and a TLS configuration that accepts only 1.2 and 1.3.
The certificate encrypts all traffic between the client and your server, but the only thing the browser can’t verify is whether a trusted CA signed it, which is what triggers the warning.
For a staging server or internal tool, that warning is fine, but when you’re ready to go public, swap the self-signed certificate for a CA-signed one by following the Certbot with Let’s Encrypt guide.
Open https://store.tecmint.com in your browser now and accept the warning, click through to the certificate details, and confirm the connection is showing TLS 1.3.
