How to create your own SSL Certificate


Picture:Clock Published on February 27th, 2007 in Best of, Other, Ubuntu, Web

The openssl toolkit is typically used to generate an RSA Private Key and a CSR (Certificate Signing Request). But it can also be used to generate self-signed certificates which can be used for testing purposes or internal usage.

Step 1: Generate a Private Key

The first step is to create your RSA Private Key. This key is a 1024 bit RSA key which is encrypted using Triple-DES and stored in a PEM format so that it is readable as ASCII text.

openssl genrsa -des3 -out server.key 1024

Step 2: Generate a CSR (Certificate Signing Request)

Once the private key is generated a Certificate Signing Request can be generated. The CSR is then used in one of two ways. Ideally, the CSR will be sent to a Certificate Authority, such as Thawte or Verisign who will verify the identity of the requestor and issue a signed certificate. The second option is to self-sign the CSR, which will be demonstrated in the next section.

During the generation of the CSR, you will be prompted for several pieces of information. These are the X.509 attributes of the certificate. One of the prompts will be for “Common Name (e.g., YOUR name)”. It is important that this field be filled in with the fully qualified domain name of the server to be protected by SSL. If the website to be protected will be https://www.yatblog.com, then enter www.yatblog.com at this prompt. If you want to create a so called “wildcard” certificate, which means the same certificate can be used on an unlimited number of subdomains, just enter an asterisk as the hostname, in our example that would be *.yatblog.com. The command to generate the CSR is as follows:

openssl req -new -key server.key -out server.csr

Step 3: Remove Passphrase from Key

One unfortunate side-effect of the pass-phrased private key is that Apache will ask for the pass-phrase each time the web server is started. Obviously this is not necessarily convenient as someone will not always be around to type in the pass-phrase, such as after a reboot or crash. mod_ssl includes the ability to use an external program in place of the built-in pass-phrase dialog, however, this is not necessarily the most secure option either. It is possible to remove the Triple-DES encryption from the key, thereby no longer needing to type in a pass-phrase. If the private key is no longer encrypted, it is critical that this file only be readable by the root user! If your system is ever compromised and a third party obtains your unencrypted private key, the corresponding certificate will need to be revoked. With that being said, use the following command to remove the pass-phrase from the key:

cp server.key server.key.org
openssl rsa -in server.key.org -out server.key

The newly created server.key file has no passphrase in it anymore.

-rw-r–r– 1 root root 745 Jun 29 12:19 server.csr
-rw-r–r– 1 root root 891 Jun 29 13:22 server.key
-rw-r–r– 1 root root 963 Jun 29 13:22 server.key.org

Step 4: Generating a Self-Signed Certificate

At this point you will need to generate a self-signed certificate because you either don’t plan on having your certificate signed by a CA, or you wish to test your new SSL implementation while the CA is signing your certificate. This temporary certificate will generate an error in the client browser to the effect that the signing certificate authority is unknown and not trusted.

To generate a temporary certificate which is good for 365 days, issue the following command:

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

Step 5: Installing the Private Key and Certificate

When Apache with mod_ssl is installed, it creates several directories in the Apache config directory. The location of this directory will differ depending on how Apache was compiled.

cp server.crt /usr/local/apache/conf/ssl.crt
cp server.key /usr/local/apache/conf/ssl.key

Step 6: Configuring SSL Enabled Virtual Hosts

<VirtualHost www.yourdomain.com:443>
SSLEngine on
SSLCertificateFile /usr/local/apache/conf/ssl.crt/server.crt
SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/server.key
SetEnvIf User-Agent “.*MSIE.*” nokeepalive ssl-unclean-shutdown
</VirtualHost>

If you want to redirect connections to the standard, unencrypted port 80, simply use the following lines:

<VirtualHost mail.design-monster.com:80>
RedirectPermanent / https://www.yourdomain.com
</VirtualHost>

Step 7: Restart Apache and Test

/etc/init.d/apache2 restart
Share This

Trackback URL for this post:
http://www.yatblog.com/2007/02/27/how-to-create-a-ssl-certificate/trackback/


14 comments

    Kalessin March 10th, 2007

    Fantastic… I’ve read a number of similar guides over the past few weeks and this is the best, at least for Debian/Ubuntu, anyway.

    Tara April 25th, 2007

    Exactly what I needed (Red Hat OS). THANKS.

    Holger May 1st, 2007

    GREAT HowTo. Precisely what I was looking for. Thanks!

    Gary July 19th, 2007

    Just what I needed. Very helpful - OK on Gentoo. Thanks very much indeed

    Muhammad Mahmood Sarfraz July 25th, 2007

    good document on creation of SSL certificate

    Q-Zma October 11th, 2007

    is it possible to generate single certificate which will be valid for several domains? for example: domainone.com and domaintwo.com?

    Martin October 12th, 2007

    Hi Q-Zma

    Unfortunately not. You will have to create one for every domain.

    TheMacThinker October 28th, 2007

    Is it possible to create your own ssl certification on your desktop and then upload it to a shared hosted server and modify your php.ini or .htaccess files to make apache use it? If so how?
    In fact I would like to create my own certificate and be able to use it without upgrading my hosted domain plan and because I do not have root access to the server I would like to configure .htaccess if possible to use the certificate.
    Any insight would be appreciated .

    Aion October 29th, 2007

    Sounds hard… but I will try it , don’t want to pay 100$ for one :(

    btaz November 1st, 2007

    Excellent…… thanks a lot!

    We want more……

    :)

    Tye December 7th, 2007

    Thanks. I needed a simple run through the process.

    Robert February 10th, 2008

    TheMacThinker,

    It would be possible to use your own self signed certificate on your shared hosting but the main problem is that, if it is a shared server, you most likely don’t have a unique IP address and the SSL protocol requires a unique IP address/port for every certificate. You would also need to configure Apache to use the certificate so it completely depends on your hosting provider.

    Laxman singh May 28th, 2008

    Thanks,

    vary straight through how to create certificate, and implemented with vhost.

    The steps involved in creating self-signed authority under Ubuntu.

    Here is the very simple way of creating a Self signed certificate.
    enter the command as follows to generate a certificate valid for 365 days
    sudo apache2-ssl-certificate -days 365

    The program asks for few inputs. Please enter as required. It is shown below

    Country Name (2 letter code) [GB]:

    State or Province Name (full name) [Some-State]:

    Locality Name (eg, city) []:Singapore
    Organization Name (eg, company; recommended) []:

    Organizational Unit Name (eg, section) []:
    server name (eg. ssl.domain.tld; required!!!) []:enter your domain name here

    Email Address []:

    Now you should have your certificate ready to use.

    (NOTE: Ubuntu Feisty has a bug where the command apache2-ssl-certificate is missing. This is a well documented bug. Here is the file you need to download to overcome this defect to create a self signed certificate. After you download, follow the notes below to copy the downloaded files to the location where they are supposed to be present.

    Extract the package and put ssleay.cnf to /usr/share/apache2/ and apache2-ssl-certificate to /usr/sbin.
    Create /etc/apache2/ssl directory. Then apache2-ssl-certificate script should work.)

    Once you have your certificate ready, then you need to configure you apache2.conf file. In this case, the configuration is very simple. Here is an example on how to do it:

    NameVirtualHost *:443

    ServerAdmin webmaster@localhost
    ServerName securedomain
    ServerAlias securedomain http://www.domain3.com
    DocumentRoot /var/www/ssl_securearea

    SSLEngine On
    SSLCertificateFile /etc/apache2/ssl/apache.pem

    Options -Indexes FollowSymLinks MultiViews
    AllowOverride None
    Order allow,deny
    allow from all

    above i have shown the whole virtual host configuration to be complete. But i hope you get an idea where to put it.

    On Ubuntu need this step to recover the missing command apache2-ssl-certificate is missing.

    Here is the file you need to download to overcome this defect to create a self signed certificate. After you download, follow the notes below to copy the downloaded files to the location where they are supposed to be present.
    1. Extract the package
    2. put ssleay.cnf to /usr/share/apache2/
    3. put apache2-ssl-certificate to /usr/sbin.
    4. Create /etc/apache2/ssl directory.
    Now apache2-ssl-certificate script should work.

    http://librarian.launchpad.net/7477840/apache2-ssl.tar.gz

    after downloading & following step certificate worked.

    sjmiller June 5th, 2008

    Brilliant instructions. Thank you!

Shout it out!