Create A Self-Signed SSL Certificate To Use With Apache

Discussion in 'Unix' started by pradeep, Sep 28, 2012.

  1. pradeep

    pradeep Team Leader

    Apr 4, 2005
    Likes Received:
    Trophy Points:
    Kolkata, India
    Home Page:
    Normally web traffic (HTTP) is unencrypted i.e. it's passed around the network in plain text, so anyone with the right tools can view what's being transmitted. This is okay generally, but when we pass sensitive information like credit card information, passwords, nowadays even personal information & emails are important as they may be used to do identity theft, so even websites like Facebook & GMail use HTTPS by default.

    HTTPS works by using SSL, which in turn uses asymmetric cryptography popularly known as public key cryptography. In public key cryptography, a public key and a private key are present, anything encrypted with the public key can only be decrypted with the corresponding private key and vice-versa. Although SSL uses public key cryptography a certificate is necessary, not for the functioning or to strengthen the encryption but to verify the owner of the certificate to be the person/organization they claim to be, so CAs (Certificate Authorities) sign your certificate so that other can trust you. See the image below, how GMail certificate is signed by Thwate.


    In case, you just want to use SSL for web applications in your private network or organization, or just test using HTTPS with your application, you can self-sign the certificate and add the CA certificate to your browser's trusted list.

    Generating The Private Key

    We'll be using OpenSSL to generate the 2048 bit RSA private key using the Triple-DES algorithm. This is the CA's private key in the real world scenario.

    [pradeep@home-desktop ssl]# openssl genrsa -des3 -out server.key 2048
    Generating RSA private key, 2048 bit long modulus
    e is 65537 (0x10001)
    Enter pass phrase for server.key:
    Verifying - Enter pass phrase for server.key:

    Creating A Certificate Signing Request (CSR)

    Now that we have the private key, we'll need to create a CSR and normally it is sent to a CA (Certificate Authority) like Versign or Thwate who will sign our certificate with their private key, but here we'll be self-signing the certificate.

    [pradeep@home-desktop ssl]# openssl req -new -key server.key -out server.csr
    Enter pass phrase for server.key:
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    Country Name (2 letter code) [GB]:IN
    State or Province Name (full name) [Berkshire]:Mumbai
    Locality Name (eg, city) [Newbury]:Matunga
    Organization Name (eg, company) [My Company Ltd]:Go4expert
    Organizational Unit Name (eg, section) []:
    Common Name (eg, your name or your server's hostname) []
    Email Address []
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:

    Self-Signing The CSR

    Now we can sign the CSR using the first created private key and we'll get a certificate, using this certificate will show an error/warning in your browser, which we'll see how to be fixed in the last step.

    [pradeep@home-desktop ssl]# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
    Signature ok
    Getting Private key
    Enter pass phrase for server.key:
    This certificate is now valid for a year.

    Setting Up SSL in Apache

    [pradeep@home-desktop ssl]# cp server.crt /etc/httpd/conf/ssl.crt
    [pradeep@home-desktop ssl]# cp server.key /etc/httpd/conf/ssl.key
    Configuring for virtual hosts or globally.
    SSLEngine on
    SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
    SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

    Making Your Browser Trust The Self-Signed Certificate

    Last edited by a moderator: Jan 21, 2017
  2. k2seo

    k2seo New Member

    Jul 22, 2012
    Likes Received:
    Trophy Points:
    Home Page:
    I just wanna ask you that is would be as secured as given by certificate authorities geotrust, comodo or verisign?

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice