Security Tips and Tricks

How to Create a Self-Signed SSL Certificate

An SSL certificate is ideal for securing an administration interface, a member’s-only space, an intranet, webmail. etc. It is used is to keep sensitive information sent across the Internet encrypted so that only the intended recipient can understand it. When installed on a web server, it activates the padlock and the https protocol (over port 443) and allows secure connections from a web server to a browser.

In this article we’re going to be covering how to create a self-signed SSL certificate. Self-signed SSL certificates add security to a domain for testing purposes, but are not verifiable by a third-party certificate provider. Thus, they can result in web browser warnings.

Create the Self-signed SSL Certificate

Make a directory to store the certificate and the server key. Normally this will be installed on a web server so that’s where my directory structure will focus:

mkdir /etc/httpd/ssl

Generate the SSL via OpenSSL with the following command:

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/httpd/ssl/apache.key -out /etc/httpd/ssl/apache.crt

The above command will generate a 2048 -bit private key and corresponding CSR that remains valid for 365 days, and place those files into the new directory. The output of the above command will result in the following, of which you’ll need to answer a few questions:

Generating a 2048 bit RSA private key
 ………………………………………………..+++
 ……………..+++
 writing new private key to ‘/etc/httpd/ssl/apache.key’
 —–
 You are about to be asked to enter information that will be incorporated
 into your certificate request.
 What you are about to enter is what is called a Distinguished Name or a DN.
 There are quite a few fields but you can leave some blank
 For some fields there will be a default value,
 If you enter ‘.’, the field will be left blank.
 —–
 Country Name (2 letter code) [XX]:US
 State or Province Name (full name) []:New York
 Locality Name (eg, city) [Default City]:New York
 Organization Name (eg, company) [Default Company Ltd]:Webair Internet Development Company, Inc
 Organizational Unit Name (eg, section) []:Webair Community 
 Common Name (eg, your name or your server’s hostname) []:community.webairfakedomain.com
 Email Address []:postmaster@webairfakedomain.com
[alert type=”info” close=”no” text=”Tip: It is very important that the Common Name be set appropriately. Enter your fully qualified domain name (FQDN) here or, if you don’t have an FQDN, then your site’s IP address.”]

Related Articles