This document describes how HTTPS was enabled for the osTicket help desk application using a locally generated SSL certificate. The configuration is intended for an internal lab environment to simulate secure web access within an enterprise network.
Sensitive configuration values, file paths, and access URLs are intentionally omitted.
Even in internal environments, encrypting web traffic is a best practice. Enabling HTTPS for osTicket provides:
- Encrypted communication between clients and the help desk server
- Protection of authentication data in transit
- Experience configuring SSL on a Linux web server
- Familiarity with browser trust warnings and certificate validation
A self-signed SSL certificate was generated for this lab.
- No external Certificate Authority (CA) required
- Suitable for internal testing and development
- Allows full HTTPS functionality without public trust
Because the certificate is self-signed, browsers display a security warning. This behavior is expected and documented.
osTicket is hosted using the Apache web server on Ubuntu.
- Apache HTTPS support enabled
- SSL module activated
- Virtual host configured for HTTPS
- osTicket site bound to the SSL virtual host
- HTTP traffic allowed for initial access and testing
The following checks were performed to validate the HTTPS configuration:
- osTicket loads successfully over HTTPS
- Apache service starts without SSL-related errors
- Browser displays certificate trust warning (expected)
- Admin and user portals remain accessible
- No mixed-content errors observed
When accessing the site, the browser displays a “Not Secure” or certificate warning.
- The certificate is not signed by a trusted public CA
- The certificate is used only within the internal lab
- No sensitive production data is exposed
This behavior is acceptable and expected in a lab environment.
- SSL encrypts traffic despite the certificate not being publicly trusted
- No external access to the help desk system
- Certificate files are stored securely on the server
- HTTPS configuration reduces risk of credential interception
- Certificate is not trusted by default
- No automatic certificate renewal
- No public DNS validation
- Not suitable for production environments
- Replace self-signed certificate with internal CA
- Use Let’s Encrypt for trusted certificates in production
- Enforce HTTP to HTTPS redirection
- Harden SSL/TLS configuration