Creating Self-Signed SSL Certificates

SSL Certificates are a fundamental part of Transport Layer Security. SSL Certs are used as a means for authentication, by this I mean that a cert is mapped to a particular web site or web server and helps ensure that you are at the right place on the web. To host a secure web site requests that you get the cert signed by a Certificate Authority like VeriSign, GeoTrust or some other CA, but if you are only interested in creating SSL Certs for the purpose of a secure connection then self-signed certs would be the best way to go….(plus they are free).

(I put this post here because every time my certs expire I have to crawl the web to find the write set of command to run to get the SSL Cert again, it took me quite awhile to find them last time.. So hopefully this post will help someone somewhere)

1. Software You Need
You need the right tools for the job…OpenSSL is perfect for this and usually comes by default on your favorite Linux Distribution and on Mac OS X….(There is a Windows version of it but I’m not going to cover that here)

2. Generate a Private Key
The first step is to create your RSA Private Key for your server. The key here is a 1024 bit RSA key which is encrypted using Triple-DES and stored in a PEM format so that it is readable as ASCII text. (You can use any length key you wish as long as it to the power of 2 but remember the longer the key is the longer it will take to load the web page. You can also use any encryption algorithm you want to encrypt it as well, there are a number you can choose from and they can be found in the OpenSSL Manual. Personally you shouldn’t choose any lower than Triple-DES as your encryption algorithm.)

openssl genrsa -des3 -out server.key 1024

3. Generate the Certificate Signing Request (CSR)
This is usually the file that you would send to the CA to get a verified cert, but in this case it is required to create a self-signed cert.
Running this command will require that you put in a number of details, such as company name, address. FQDN for the server in question(probable the most important bit) etc.

openssl req -new -key server.key -out server.csr

Note: With the current implementation of OpenSSL, the part that defines the FQDN “The Common Name” is now just defines as your name (in a commend) which I think might be wrong, put the FQDN in here or you will get two errors with the certificate, 1. that it is self-signed and 2. that it is for a different server name.

Update: When this CSR is created it is password protected and Apache cannot load it unless you explicitly point it to or give it the password when it is starting up. To remove this problem:

cp server.key server.key.original
openssl rsa -in server.key.original -out server.key

This is the less secure option but it is more user friendly.

4. Generate your Self-Signed Cert
This command below creates the cert and puts it into the server.crt file….This can be then used with any server application such as Apache for secure web pages or your email server. One thing to note is that it when you go to the site with the SSL Cert, your browser or email client will throw out an error with the cert such as signing certificate authority is unknown and not trusted. But the cert is still good for initiating secure TLS connections.

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt