How to create your own SSL Certificate | Yet another Tech Blog Page 1 of 6

search

How to create your own SSL Certificate

Published on February 27th, 2007 in Best of, Other, Ubuntu, Web
Private Key
The openssl toolkit is typically used to generate an RSA Private Key and a CSR (Certificate Signing Protection
Request). But it can also be used to generate self-signed certificates which can be used for testing Protect private
purposes or internal usage. keys and
algorithms from
Step 1: Generate a Private Key static analysis.
www.Arxan.com
The first step is to create your RSA Private Key. This key is a 1024 bit RSA key which is encrypted using
Triple-DES and stored in a PEM format so that it is readable as ASCII text.

openssl genrsa -des3 -out server.key 1024

Step 2: Generate a CSR (Certificate Signing Request)

Once the private key is generated a Certificate Signing Request can be generated. The CSR is then
used in one of two ways. Ideally, the CSR will be sent to a Certificate Authority, such as Thawte or
Verisign who will verify the identity of the requestor and issue a signed certificate. The second option is
to self-sign the CSR, which will be demonstrated in the next section.

During the generation of the CSR, you will be prompted for several pieces of information. These are the
X.509 attributes of the certificate. One of the prompts will be for “Common Name (e.g., YOUR name)”. It
is important that this field be filled in with the fully qualified domain name of the server to be protected by
SSL. If the website to be protected will be https://www.yatblog.com, then enter www.yatblog.com at this
prompt. If you want to create a so called “wildcard” certificate, which means the same certificate can be
used on an unlimited number of subdomains, just enter an asterisk as the hostname, in our example that
would be *.yatblog.com. The command to generate the CSR is as follows:

openssl req -new -key server.key -out server.csr

Step 3: Remove Passphrase from Key

One unfortunate side-effect of the pass-phrased private key is that Apache will ask for the pass-phrase
each time the web server is started. Obviously this is not necessarily convenient as someone will not
always be around to type in the pass-phrase, such as after a reboot or crash. mod_ssl includes the ability
to use an external program in place of the built-in pass-phrase dialog, however, this is not necessarily the
most secure option either. It is possible to remove the Triple-DES encryption from the key, thereby no
longer needing to type in a pass-phrase. If the private key is no longer encrypted, it is critical that this file
only be readable by the root user! If your system is ever compromised and a third party obtains your
unencrypted private key, the corresponding certificate will need to be revoked. With that being said, use
the following command to remove the pass-phrase from the key: • Printer
supplies
cp server.key server.key.org
openssl rsa -in server.key.org -out server.key

The newly created server.key file has no passphrase in it anymore.

-rw-r–r– 1 root root 745 Jun 29 12:19 server.csr

-rw-r–r– 1 root root 891 Jun 29 13:22 server.key
-rw-r–r– 1 root root 963 Jun 29 13:22 server.key.org

Step 4: Generating a Self-Signed Certificate

At this point you will need to generate a self-signed certificate because you either don’t plan on having
your certificate signed by a CA, or you wish to test your new SSL implementation while the CA is signing
your certificate. This temporary certificate will generate an error in the client browser to the effect that the
signing certificate authority is unknown and not trusted.

To generate a temporary certificate which is good for 365 days, issue the following command:

http://www.yatblog.com/2007/02/27/how-to-create-a-ssl-certificate/ 11/24/2010
How to create your own SSL Certificate | Yet another Tech Blog Page 2 of 6

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

Step 5: Installing the Private Key and Certificate

When Apache with mod_ssl is installed, it creates several directories in the Apache config directory. The
location of this directory will differ depending on how Apache was compiled.

cp server.crt /usr/local/apache/conf/ssl.crt
cp server.key /usr/local/apache/conf/ssl.key

Step 6: Configuring SSL Enabled Virtual Hosts

<VirtualHost www.yourdomain.com:443>
SSLEngine on
SSLCertificateFile /usr/local/apache/conf/ssl.crt/server.crt
SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/server.key
SetEnvIf User-Agent “.*MSIE.*” nokeepalive ssl-unclean-shutdown
</VirtualHost>

If you want to redirect connections to the standard, unencrypted port 80, simply use the following lines:

<VirtualHost mail.design-monster.com:80>
RedirectPermanent / https://www.yourdomain.com
</VirtualHost>

Step 7: Restart Apache and Test Tcat Server Free

Download
/etc/init.d/apache2 restart Tomcat Admin,
Monitoring & Tools
Configure Tomcat
Share This Server w. Tcat Now
MuleSoft.com/Tomca…

Trackback URL for this post:

http://www.yatblog.com/2007/02/27/how-to-create-a-ssl-certificate/trackback/

25 comments

Kalessin March 10th, 2007

Fantastic… I’ve read a number of similar guides over the past few weeks and this is the best, at least for
Debian/Ubuntu, anyway.

Tara April 25th, 2007

Exactly what I needed (Red Hat OS). THANKS.

Holger May 1st, 2007

GREAT HowTo. Precisely what I was looking for. Thanks!

Gary July 19th, 2007

Just what I needed. Very helpful – OK on Gentoo. Thanks very much indeed

http://www.yatblog.com/2007/02/27/how-to-create-a-ssl-certificate/ 11/24/2010
How to create your own SSL Certificate | Yet another Tech Blog Page 3 of 6

Muhammad Mahmood Sarfraz July 25th, 2007

good document on creation of SSL certificate

Q-Zma October 11th, 2007

is it possible to generate single certificate which will be valid for several domains? for example:
domainone.com and domaintwo.com?

Martin October 12th, 2007

Hi Q-Zma

Unfortunately not. You will have to create one for every domain.

TheMacThinker October 28th, 2007

Is it possible to create your own ssl certification on your desktop and then upload it to a shared hosted
server and modify your php.ini or .htaccess files to make apache use it? If so how?
In fact I would like to create my own certificate and be able to use it without upgrading my hosted
domain plan and because I do not have root access to the server I would like to configure .htaccess if
possible to use the certificate.
Any insight would be appreciated .

Aion October 29th, 2007

Sounds hard… but I will try it , don’t want to pay 100$ for one

btaz November 1st, 2007

Excellent…… thanks a lot!

We want more……

Tye December 7th, 2007

Thanks. I needed a simple run through the process.

Robert February 10th, 2008

TheMacThinker,

It would be possible to use your own self signed certificate on your shared hosting but the main problem
is that, if it is a shared server, you most likely don’t have a unique IP address and the SSL protocol
requires a unique IP address/port for every certificate. You would also need to configure Apache to use
the certificate so it completely depends on your hosting provider.

Laxman singh May 28th, 2008

Thanks,

vary straight through how to create certificate, and implemented with vhost.

http://www.yatblog.com/2007/02/27/how-to-create-a-ssl-certificate/ 11/24/2010
How to create your own SSL Certificate | Yet another Tech Blog Page 4 of 6

The steps involved in creating self-signed authority under Ubuntu.

Here is the very simple way of creating a Self signed certificate.

enter the command as follows to generate a certificate valid for 365 days
sudo apache2-ssl-certificate -days 365

The program asks for few inputs. Please enter as required. It is shown below

Country Name (2 letter code) [GB]:

State or Province Name (full name) [Some-State]:

Locality Name (eg, city) []:Singapore

Organization Name (eg, company; recommended) []:

Organizational Unit Name (eg, section) []:

server name (eg. ssl.domain.tld; required!!!) []:enter your domain name here

Email Address []:

Now you should have your certificate ready to use.

(NOTE: Ubuntu Feisty has a bug where the command apache2-ssl-certificate is missing. This is a well
documented bug. Here is the file you need to download to overcome this defect to create a self signed
certificate. After you download, follow the notes below to copy the downloaded files to the location
where they are supposed to be present.

Extract the package and put ssleay.cnf to /usr/share/apache2/ and apache2-ssl-certificate to /usr/sbin.
Create /etc/apache2/ssl directory. Then apache2-ssl-certificate script should work.)

Once you have your certificate ready, then you need to configure you apache2.conf file. In this case, the
configuration is very simple. Here is an example on how to do it:

NameVirtualHost *:443

ServerAdmin webmaster@localhost
ServerName securedomain
ServerAlias securedomain http://www.domain3.com
DocumentRoot /var/www/ssl_securearea

SSLEngine On
SSLCertificateFile /etc/apache2/ssl/apache.pem

Options -Indexes FollowSymLinks MultiViews

AllowOverride None
Order allow,deny
allow from all

above i have shown the whole virtual host configuration to be complete. But i hope you get an idea
where to put it.

On Ubuntu need this step to recover the missing command apache2-ssl-certificate is missing.

Here is the file you need to download to overcome this defect to create a self signed certificate. After
you download, follow the notes below to copy the downloaded files to the location where they are
supposed to be present.
1. Extract the package
2. put ssleay.cnf to /usr/share/apache2/
3. put apache2-ssl-certificate to /usr/sbin.
4. Create /etc/apache2/ssl directory.
Now apache2-ssl-certificate script should work.

http://librarian.launchpad.net/7477840/apache2-ssl.tar.gz

after downloading & following step certificate worked.

http://www.yatblog.com/2007/02/27/how-to-create-a-ssl-certificate/ 11/24/2010
How to create your own SSL Certificate | Yet another Tech Blog Page 5 of 6

sjmiller June 5th, 2008

Brilliant instructions. Thank you!

Craig October 22nd, 2008

Can this be used for a live production e-commerce site?

Tony October 31st, 2008

Yes it can be, except your visitors will receive an error when visiting your site saying that there is
something wrong. In both IE7 and Firefox 3 they will be STRONGLY ADVISED not to enter, and will
have to import the key into their browser for connection to continue.

In other words, pay for a proper one or you’ll look dodgy.

The Magnet Blog » Blog Archive » creating a ssl certificate November 6th, 2008
[...] http://www.yatblog.com/2007/02/27/how-to-create-a-ssl-certificate/ [...]

Stage @ Aventiv » Dag 54: Client Fails! May 26th, 2009

[...] probleem en deze hebben we alsnog kunnen oplossen door een self signed certificaat te generen
via opensll op linux. Toen we de client dan probeerden te runnen dan werd het e-mail en het fileserver
laben gevalideerd [...]

Guy September 14th, 2009

If you really want to simplify everything I downloaded some scripts, a few years ago, that will generate
everything. When I found them they generated 1024-bit encryption – I modified them so that, now, they
are 4096 bit encryption. These really make the whole process brain-dead. These work with
GoDaddy.com’s new, mandatory minimum of 2048 bit or higher encryption – I just edited them, made
new certificates, and bought a new certificate yesterday. if you would like to use them, her ya’ go….

http://guycentral.info/index.php/apache-linux.

james Eilers » Project Management with Trac + SVN October 8th, 2009
[...] everything to use SSL. A very nice tutorial on creating your self-signed certificate can be found
here. Also ensure that you have mod_ssl installed for Apache. Everything else is configured within [...]

How to create your own SSL Certificate | Yet another Tech Blog | Scott’s Reference
Files October 19th, 2009
[...] How to create your own SSL Certificate | Yet another Tech BlogTopic: Computer| No Comments »
How to create your own SSL Certificate | Yet another Tech Blog. [...]

Ed January 14th, 2010

Just FYI, in some environments (RHEL, centos, etc) the certs are in /etc/pki/tls/private
and /etc/pki/tls/certs

http://www.yatblog.com/2007/02/27/how-to-create-a-ssl-certificate/ 11/24/2010
How to create your own SSL Certificate | Yet another Tech Blog Page 6 of 6

Suresh April 30th, 2010

http://www.akadia.com/services/ssh_test_certificate.html

Same Content !!

This site is quite detailed.

Alpha Monk June 22nd, 2010

This is very cool info. I thought this information would be hard to find and hard to understand. you made
both of my worries evaporate.

Thanks

Ben Lancaster September 3rd, 2010

How and where do you do the first step?

Please reply!

Shout it out!
Name (required)

Mail (will not be published) (required)

Website

Submit Comment

Copyright Yet another Tech Blog took 0.570 seconds to load created by Design Monster

http://www.yatblog.com/2007/02/27/how-to-create-a-ssl-certificate/ 11/24/2010