howto: self signed ssl certificate for apache2 on debian buster

# create storage location for cert+key
mkdir /etc/apache2/ssl && cd /etc/apache2/ssl

# generate cert+key
openssl req -x509 -newkey rsa:4096 -nodes -subj '/CN=7362cb9e-13a0-4043-87f3-4a176a8aec64' -keyout key.pem -out cert.pem -days 365

# enable ssl
sudo a2enmod ssl

# set up ssl, and redirect non-ssl
cat sites-available/default.conf 
<VirtualHost *:80>
  RewriteEngine On
  RewriteCond %{HTTPS} off
  RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
</VirtualHost>

<VirtualHost _default_:443>
  DocumentRoot /var/www/default

  ErrorLog ${APACHE_LOG_DIR}/default.ssl.error.log
  CustomLog ${APACHE_LOG_DIR}/default.ssl.access.log combined

  SSLEngine on
  SSLCertificateFile    /etc/apache2/ssl/cert.pem
  SSLCertificateKeyFile /etc/apache2/ssl/key.pem

  <FilesMatch "\.(cgi|shtml|phtml|php)$">
     SSLOptions +StdEnvVars
  </FilesMatch>
  <Directory /usr/lib/cgi-bin>
    SSLOptions +StdEnvVars
  </Directory>
</VirtualHost>

# enable site and restart
a2ensite default
systemctl restart apache2

mostly as a reminder for future-me 🙂