How to create a self-signed SSL Certificate

17. June 2011 SysAdmin 0

How to create a self-signed SSL Certificate which can be used for testing purposes or internal usage

Step 1: Generate a Private Key and CSR

[email protected]:~$ mkdir ~ssl
[email protected]:~$ cd ~ssl
[email protected]:~$ openssl req -new -newkey rsa:2048 -nodes -out www_domain_com.csr -keyout www_domain_com.key -subj "/C=IN/ST=India/L=Kerala/O=AWSadminz/OU=IT/CN=www.domain.com"

Optional : To add Multiple SAN names, Use multipe CN values.

[email protected]:~$ openssl req -new -newkey rsa:2048 -nodes -out www_domain_com.csr -keyout www_domain_com.key -subj "/C=IN/ST=India/L=Kerala/O=AWSadminz/OU=IT/CN=www.domain.com/CN=online.domain.com"

Where Above Fields Refers,

Country Name (2 letter code) [GB]:**IN**  
 State or Province Name (full name) [Berkshire]:**India**  
 Locality Name (eg, city) [Newbury]:**Kerala**  
 Organization Name (eg, company) [My Company Ltd]: **AWSadminz**  
 Organizational Unit Name (eg, section) []:**IT**  
 Common Name (eg, your name or your server’s hostname) []:**www.domain.com**  
 Please enter the following ‘extra’ attributes  
 to be sent with your certificate request  
 A challenge password []:  
 An optional company name []:  

-rw-rw-r-- 1 aws aws 1041 2012-10-27 03:32 www_domain_com.csr
-rw-rw-r-- 1 aws aws 1704 2012-10-27 03:32 www_domain_com.key 

Step 2: Generating a Self-Signed Certificate

At this point you will need to generate a self-signed certificate because you either don’t plan on having your certificate signed by a CA, or you wish to test your new SSL implementation while the CA is signing your certificate. This temporary certificate will generate an error in the client browser to the effect that the signing certificate authority is unknown and not trusted. To generate a temporary certificate which is good for 365 days, issue the following command:

[email protected]:~ssl$ openssl x509 -req -days 365 -in www_domain_com.csr -signkey www_domain_com.key -out www_domain_com.crt
Signature ok
subject=/C=IN/ST=India/L=Kerala/O=AWSadminz/OU=IT/CN=www.domain.com

Getting Private key
Now you have al the 3 files. ie, Certificate Key and CSR.

[email protected]: ~ssl$ ls
total 404
drwxrwxr-x 2 aws aws 4096 2012-10-27 03:29 ./
drwxrwxrwt 27 root root 393216 2012-10-27 03:33 ../
-rw-rw-r-- 1 aws aws 1273 2012-10-27 03:32 www_domain_com.crt
-rw-rw-r-- 1 aws aws 1041 2012-10-27 03:32 www_domain_com.csr
-rw-rw-r-- 1 aws aws 1704 2012-10-27 03:32 www_domain_com.key

Step 3: Installing the Private Key and Certificate

When Apache with mod_ssl is installed, it creates several directories in the Apache config directory. The location of this directory will differ depending on how Apache was compiled. We need only CRT and KEY file on the apache Server.

mkdir /etc/httpd/ssl
cp www_domain_com.crt /etc/httpd/ssl/www_domain_com.crt
cp www_domain_com.key /etc/httpd/ssl/www_domain_com.key

Step 4: Configuring SSL Enabled Virtual Hosts

SSLEngine on
SSLCertificateFile /etc/httpd/ssl/www_domain_com.crt
SSLCertificateKeyFile /etc/httpd/ssl/www_domain_com.key

Step 5: Restart Apache and Test

/etc/init.d/httpd stop
/etc/init.d/httpd stop

And verify the ssl using the URL https://www.domain.com   Any Isuses, Please comment ![:)]


Leave a Reply

Your email address will not be published.