How to create and install self signed certificate
What is a self signed certificate?
Usually when people do hear that a server has a self signed certificate they go like “What?! Your server is unprotected!” and things like that, well that is wrong! Not 100% wrong, but most of the time it is, and now you’re probably thinking: why? Well its true that some abuse cases made use of self signed certificate to impersonate some other companies or the like, however browsers nowadays always notify you that a certificate is indeed not trustworthy due to being a self signed certificate and it gives you the option to manually confirm and add it to an exception if you wish. In that part when you confirm the self signed certificate you can view the actual certificate and decide if this is really trying to impersonate someone. In this tutorial I’ll show you how you can create and install self signed certificate on your web server Apache on linux.
Creating the self signed certificate
The first real step is to create your own certificate, on this tutorial we’re going to show you how you can do this on a Ubuntu linux (that’s my current OS installation so its easier for me), but you can use any linux distribution that has openssl installed. The commands you need to use are bellow:
1 |
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout server.key -out server.crt |
This will create a self signed certificate and private key valid for 365 days. It will also use RSA with a 2048 bits for encoding. For those who do not have openssl installed, they can install it using:
1 2 3 4 5 |
# Debian / Ubuntu apt-get install openssl # Centos / Redhat yum install openssl |
Two new files will be created in the folder you are located:
- server.key
- server.crt
These two files are the ones you need to use to setup your SSL configuration settings.
Install the self signed certificate on Apache web server
Installing the certificate is not that hard, I’m going to be showing you how you can do this on a linux box using Ubuntu and CentOS. In both cases the directives that need to be used are:
1 2 3 |
SSLEngine on SSLCertificateFile /var/ssl/default-ssl/server.crt SSLCertificateKeyFile /var/ssl/default-ssl/server.key |
- SSLEngine — Enable the SSL engine on this virtualhost
- SSLCertificateFile — This is the path to the certificate file
- SSLCertificateKeyFile — This is the path to the private key file
That’s mostly the case of things on all VirtualHost configurations. Of course you need to have first the SSL module enabled on your Apache installation. Normally on CentOS / Redhat you’re on the safe side, its already there, but on Ubuntu / Debian installations you may need to enable it as its not enabled by default:
1 |
a2enmod ssl |
And then restart your web server.
The complete Virtualhost configuration would be something similar to:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
<VirtualHost 192.168.1.101:443> ServerName server.com DocumentRoot /var/www/ <Directory "/var/www/"> AllowOverride All Options -MultiViews </Directory> SSLEngine on SSLCertificateFile /var/ssl/default-ssl/server.crt SSLCertificateKeyFile /var/ssl/default-ssl/server.key <FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars </FilesMatch> BrowserMatch "MSIE [2-6]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 # MSIE 7 and newer should be able to use keepalive BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown </VirtualHost> |
That’s about it for now, if you have questions or something is not working, feel free to comment bellow and I’ll try to help out.
See you again on our next tutorial.