The following is a simplified way to generate to self-signed certificate use for development and testing. Assumption is made that openssl toolkit is installed in the system. Openssl toolkit has many options and the following steps use some of those features.

• Step 1: Generate the Private Key.
• Step 2: Generate a CSR (Certificate Signing Request)
• Step 3: Generate a Self-Signed Certificate
• Configuring Apache.
  • Storing the Private Key and Certificate.
  • Defining in the Virtual Host.

Step 1: Generate the Private Key.

First step is to generate the RSA private key. Let’s use 2048 bit length.

openssl genrsa -out ningzeta.com.key 2048

This will generate a file - ningzeta.com.key which contains the private key. You can protect the key by encrypting it with Triple-DES.

openssl genrsa -des3 -out ningzeta.com.key 2048

When apache webserver is restarted, it will ask passphase for key if you have specified to protect the key. Make sure you don’t forget the passphrase if you have specified it.

Step 2: Generate a CSR (Certificate Signing Request)

On having the private key, the CSR can be generated. For use in real world, the generated CSR is sent to a CA(Certification Authority) who verify the identity of the requestor and issue a signed certificate.

During the generation of CSR, openssl will prompt for several information. These are X.509 attributes for the certificate. One important attribute is the Common Name - This is the FQDN of the server to be protected by the SSL. In my case its ningzeta.com. If you want to create wildcard certificate then *.ningzeta.com.

openssl req -new -key ningzeta.com.key -out ningzeta.com.csr

At this stage, you will have a CSR file - ningzeta.com.csr.

Step 3: Generate a Self-Signed Certificate

As this is for the temporary use for development and testing and not signed by proper CA, browser will generate an error as unknown and not trusted.

To generate a temporary self-signed certicate for 365 days.

openssl x509 -req -days 365 -in ningzeta.com.csr -signkey ningzeta.com.key -out ningzeta.com.crt

The above will use sha1 which is broken now and not supported in the most modern browser. To use sha2(sha224, sha256, sha384, sha512 etc), add -sha256.

openssl x509 -sha256 -req -days 365 -in ningzeta.com.csr -signkey ningzeta.com.key -out ningzeta.com.crt

At this stage, you will have a self-signed certifiacted file - ningzeta.com.crt.

You can also combine and store the private key and certificated in one file

cat ningzeta.com.crt ningzeta.com.key > ningzeta.com.pem

Configuring Apache.

The following steps are use to configure apache to use the above generated certificate and key.

Storing the Private Key and Certificate.

The location can be anywhere in the local filesystem but most common place to store is inside the apache directory. If you are using the pem file, store the pem file in the same location.

cp ningzeta.com.crt /etc/httpd/conf/ssl/ningzeta.com.crt
cp ningzeta.com.key /etc/httpd/conf/ssl/ningzeta.com.key

# for pem file
cp ningzeta.com.pem /etc/httpd/conf/ssl/ningzeta.com.pem

Defining in the Virtual Host.

Defined the certificate and private key inside the virtual host configuration.

<VirtualHost *:443>
	SSLEngine on
	SSLCertificateFile 	/etc/httpd/conf/ssl/ningzeta.com.crt
	SSLCertificateKeyFile	/etc/httpd/conf/ssl/ningzeta.com.key

	# other definitions
</VirtualHost>

Restart apache to load the new configuration.