With TLS/SSL a connection is encrypted, the identity of the communicating parties can be authenticated (most times) and the connection ensures integrity. Read more on Wikipedia.

Configuration

Generate a private key with RSA2048

sudo openssl genrsa -out /etc/ssl/private/apache.key 2048

Create certificate with SHA256. Most important is the "Common Name" which has to be the domain name.

sudo openssl req -new -x509 -key /etc/ssl/private/apache.key -days 365 -sha256 -out /etc/ssl/certs/apache.crt

Add the following to /etc/apache2/ports.conf

<IfModule mod_ssl.c>
   Listen 443
</IfModule>

Create /etc/apache2/sites-available/ssl.conf

Activate the config

sudo a2enmod ssl
sudo a2ensite ssl.conf
sudo service apache2 force-reload

Generate a Certificate Signing Request for a CA certificate

Most important is the "Common Name" which has to be the domain name again.

sudo openssl req -new -key /etc/ssl/private/apache.key -out ~/apache.csr

After you got the CA certificate save it as

/etc/ssl/certs/apache.crt

Even more secure with HTTPS Strict Transport Security

You can force HTTPS only if you add this to /etc/apache2/sites-available/ssl.conf within the 443 area

<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
</IfModule>

and run this to install the Apache headers module

sudo a2enmod headers
sudo service apache2 restart

You can view the installed modules with

apache2ctl -M

Let's encrypt

If you use Let's Encrypt certificates check if the permissions for /etc/letsencrypt/live are drwxr-xr-x with

ls -l /etc/letsencrypt/live

or set them with

sudo chmod -R 755 /etc/letsencrypt/live

because otherwise you get this error in some usecases

SSLCertificateFile: file '/etc/letsencrypt/live/.../fullchain.pem' not exist or is empty