Apache self signed certificate HOWTO

Generate the keys for the Certificate Authority (the key that will do the signing)

openssl genrsa -aes256 -out ca.key 4096
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt

Generate the private key for your server

openssl genrsa -aes256 -out server.key 4096

Create a CSR (certificate signing request) to get signed by the CA

openssl req -new -key server.key -out server.csr

Sign your csr with the key you made in the first step

openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt

Optionally remove the password from your key (if you do this protect your key!!!)

openssl rsa -in server.key -out server.key.nopass

Add these lines to your Apache config

SSLEngine on SSLCertificateFile /www/ssl.crt/server.crt SSLCertificateKeyFile /www/ssl.key/server.key

Leave A Reply - 2 Replies
Uday 2011-08-30 06:36am - No Email - Logged IP:

Can we use this self signatured certificate to test the functionality of the web site...? I have read somewhere that this can not be used. We can only test the new SSL implementation while getting the signature from the certificate authority. Is it so....? Then I feel its not a much used thing.

lofi 2011-12-07 05:31pm - No Email - Logged IP:

Uday, no, that is not true. I use it often in development and testing. But you can also use it for private networks.

As long as the client trusts your CA (that is, it has the CA's certificate installed in its store), and the certificate is not expired etc., then the client will accept your server's certificate.

The big reason to buy a certificate from Verisign or Thawte or whomever is because these CAs already have their certificates installed on most computers, so this saves you the hassle of deploying your CA's certificate. On public web sites, deploying a private CA's certificate is not practical, unless it has been signed by one of those root CAs. But if you have a big company and can deploy your CA's certificate via Active Directory or scripts to everyones' computers, then your private CA can work just fine to sign certificates for your private network's web apps.

All content licensed under the Creative Commons License