Generate Self Sign SSL Certificate
The following is a simplified way to generate to self-signed certificate use for development and testing. Assumption is made that openssl toolkit is installed in the system. Openssl toolkit has many options and the following steps use some of those features.
- Step 1: Generate the Private Key.
- Step 2: Generate a CSR (Certificate Signing Request)
- Step 3: Generate a Self-Signed Certificate
- Configuring Apache.
Step 1: Generate the Private Key.
First step is to generate the RSA private key. Let’s use 2048 bit length.
This will generate a file - ningzeta.com.key which contains the private key. You can protect the key by encrypting it with Triple-DES
.
When apache webserver is restarted, it will ask passphase for key if you have specified to protect the key. Make sure you don’t forget the passphrase if you have specified it.
Step 2: Generate a CSR (Certificate Signing Request)
On having the private key, the CSR can be generated. For use in real world, the generated CSR is sent to a CA(Certification Authority) who verify the identity of the requestor and issue a signed certificate.
During the generation of CSR, openssl will prompt for several information. These are X.509 attributes for the certificate. One important attribute is the Common Name - This is the FQDN of the server to be protected by the SSL. In my case its ningzeta.com. If you want to create wildcard certificate then *.ningzeta.com
.
At this stage, you will have a CSR file - ningzeta.com.csr.
Step 3: Generate a Self-Signed Certificate
As this is for the temporary use for development and testing and not signed by proper CA, browser will generate an error as unknown and not trusted.
To generate a temporary self-signed certicate for 365 days.
The above will use sha1 which is broken now and not supported in the most modern browser. To use sha2(sha224, sha256, sha384, sha512 etc), add -sha256
.
At this stage, you will have a self-signed certifiacted file - ningzeta.com.crt.
You can also combine and store the private key and certificated in one file
Configuring Apache.
The following steps are use to configure apache to use the above generated certificate and key.
Storing the Private Key and Certificate.
The location can be anywhere in the local filesystem but most common place to store is inside the apache directory. If you are using the pem file, store the pem file in the same location.
cp ningzeta.com.crt /etc/httpd/conf/ssl/ningzeta.com.crt
cp ningzeta.com.key /etc/httpd/conf/ssl/ningzeta.com.key
# for pem file
cp ningzeta.com.pem /etc/httpd/conf/ssl/ningzeta.com.pem
Defining in the Virtual Host.
Defined the certificate and private key inside the virtual host configuration.
<VirtualHost *:443>
SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl/ningzeta.com.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl/ningzeta.com.key
# other definitions
</VirtualHost>
Restart apache
to load the new configuration.