17th December 2015 | By: aeguana
How to create a self signed SSL certificate
SSL certificates are necessary if you want to encrypt the traffic between two end points, in our case we will be using self signed SSL certificate to encrypt the data transferred between the browser and apache web server. By default the traffic is not encrypted and it can be easily sniffed.
SSL is using the asymmetric cryptography, also known as public key cryptography, by creating two keys, one public, one private. Each message encrypted with the private key would only be decrypted by the public key.
We will be using the openssl software to accomplish this, openssl is opensource and available on most of the platforms.
Generating the Private Key
<br /> openssl genrsa -des3 -out server.key 2048<br />
<br /> Generating RSA private key, 2048 bit long modulus<br /> .................+++<br /> ........................................................................................................+++<br /> e is 65537 (0x10001)<br /> Enter pass phrase for server.key:<br /> Verifying - Enter pass phrase for server.key:<br />
When asked for a pass phrase make sure you write this down somewhere! This will create a file named server.key which will contain your private key encrypted in triple DES format. The 2048 is number of bits used for the RSA private key, the bigger the number the longer it will take to generate, it is also more secure.
Generating Certificate Signing Request (CSR)
We will be using the CSR in order to self sign our certificate. You will first be asked for a pass phrase, this is the same pass phrase used in the private key generation step.
<br /> openssl req -new -key server.key -out server.csr<br />
<br /> Enter pass phrase for server.key:<br /> You are about to be asked to enter information that will be incorporated<br /> into your certificate request.<br /> What you are about to enter is what is called a Distinguished Name or a DN.<br /> There are quite a few fields but you can leave some blank<br /> For some fields there will be a default value,<br /> If you enter '.', the field will be left blank.<br /> -----<br /> Country Name (2 letter code) [AU]:GB<br /> State or Province Name (full name) [Some-State]:London<br /> Locality Name (eg, city) :London<br /> Organization Name (eg, company) [Internet Widgits Pty Ltd]:Aeguana Ltd<br /> Organizational Unit Name (eg, section) :IT<br /> Common Name (e.g. server FQDN or YOUR name) :coolapp.aeguana.com<br /> Email Address :email@example.com</p> <p>Please enter the following 'extra' attributes<br /> to be sent with your certificate request<br /> A challenge password :<br /> An optional company name :<br />
The most important part in this step is the Common Name. Make sure you enter it correctly because the certificate will be only valid for that domain/subdomain! You can leave the challenge password empty.
Generating self signed certificate
We now should have server.csr and server.key. The server.key is our private key which is pass phrase protected, in order to use this with apache httpd server we will need to provide this key each time we start the apache web server. This is not convenient since every time you are upgrading apache or restarting the server you will need to provide the password for the private key. What we can do is to create a new private key from the old one without the pass phrase which can be used for the apache web server.
<br /> cp server.key server.key.orig<br /> openssl rsa -in server.key.orig -out server.key<br />
<br /> Enter pass phrase for server.key.orig:<br /> writing RSA key<br />
Use the same pass phrase during the private key generation. A new file should be created, server.key will now contain the private key without the pass phrase.
Finally let’s generate our self signed certificate with our private key and CSR.
<br /> openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt<br />
<br /> Signature ok<br /> subject=/C=GB/ST=London/L=London/O=Aeguana Ltd/OU=IT/CN=coolapp.aeguana.com/emailAddressfirstname.lastname@example.org<br /> Getting Private key<br />
This should generate a file server.crt which will be your the self signed certificate, the 3650 is the number of days you want your certificate to be valid, in our case we opted for 10 years.
Setup apache to use the self signed certificate
Copy the server.crt and server.key files to your server and edit your httpd.conf, make sure mod_ssl is loaded.
Add the following to your httpd.conf
<br /> SSLEngine on<br /> SSLCertificateFile /path/to/your/server.crt<br /> SSLCertificateKeyFile /path/to/your/server.key<br />
Restart apache and enjoy your self signed certificate!