We all know that the encryption between the web servers and the receiver plays a huge role in providing a risk-free web environment. The SSL utilizes asymmetric cryptography or also known as the public key cryptography (PKI) to encrypt the connection. For this, the certificate authority or CA has to provide a valid certificate that confirms the user is verified. But do you know that you can self-sign a certificate and create one for your personal usage? If you want to learn more, continue reading this article.
Today we are going to generate a self-signed SSL certificate by utilizing the OpenSSL commands. OpenSSL commands are extremely useful for completing complicated tasks within a matter of seconds. We wrote a complete article on the OpenSSL commands in recent days. Check it out to get a better idea about OpenSSL and its commands. For the creation of self-signed certificates too, the steps are almost easy if you followed them carefully. Nothing to worry about in between. So, let’s look into the procedure to create a self-signed SSL certificate.
Steps to Create a Self-Signed SSL Certificate
Below we listed the step by step tutorial on creating self-signed SSL certificates. Follow each one of them carefully in order to complete the process successfully. make sure that each one of the commands entered is correct and has no typos in between.
1. Generate a Private Key
To begin the self-signed certificate generation process, you have to generate an RSA Private Key. For this, you could utilize the following command which will generate an RSA key with triple DES protection and 1024-bit encryption. The file will be generated in a PEM format for further usage.
openssl genrsa -des3 -out server.key 1024
Running the above command will bring this.
Generating RSA private key, 1024 bit long modulus
.........................................................++++++
........++++++
e is 65537 (0x10001)
Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:
2. Generate a Certificate Signing Request (CSR)
Now, you have a private key. It is time to generate CSR using the commands. The CSR can be used either for sending to the certificate authority for the self-signing purpose. As we are creating a self-signed SSL, use the following command.
openssl req -new -key server.key -out server.csr
The result will look something like this.
Country Name (2 letter code) [GB]:IN
State or Province Name (full name) [Berkshire]:Mumbai
Locality Name (eg, city) [Newbury]:Mumbai
Organization Name (eg, company) [My Company Ltd]:Tech Qunital Ltd
Organizational Unit Name (eg, section) []:Information Technology
Common Name (eg, your name or your server's hostname) []:www.techquintal.com
Email Address []:admin at techquintal dot com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
As you can see, it will ask for a lot of information regarding you and the company. Provide all of them before proceeding. Also, make sure that all the provided information is correct.
3. Remove Passphrase from Key
Apache servers may need to verify the key and the password each time it restarts. This might be unlikely because someone has to enter it each time after a crash or server restart. To avoid this, removing the passphrase from the key will be helpful. But doing so will increase the possibility of being hacked by the spammers. But not that much. As per numerous authorities, it is almost safe to remove the passphrase for avoiding difficulties. Use the following commands to do so.
cp server.key server.key.org
openssl rsa -in server.key.org -out server.key
It will result in something like this one.
-rw-r--r-- 1 root root 745 Feb 19 11:19 server.csr
-rw-r--r-- 1 root root 891 Feb 19 12:21 server.key
-rw-r--r-- 1 root root 963 Feb 19 12:21 server.key.org
4. Generate a Self-Signed Certificate
Here comes the real step of creating a self-signed SSL certificate. To generate a self-signed certificate, use this command. It will generate a self-signed certificate valid for the next 365 days. You may change the validity as per your requirements. The renewals of most of the SSLs done on a yearly basis. So, it is recommended to go with this as an industrial standard.
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
The result screen might be something like this which includes all the input information added to the certificate.
Signature ok
subject=/C=IN/ST=Mumbai/L=Mumbai/O=Tech Quintal Ltd/OU=Information
Technology/CN=www.techquintal.com/Email=admin at techquintal dot com
Getting Private key
5. Install the Private Key and Certificate
During the process, the server will create several folders and put the files in the corresponding sections. It may vary from system to system based on the version of OS it is running. It might be something like this.
cp server.crt /usr/local/apache/conf/ssl.crt
cp server.key /usr/local/apache/conf/ssl.key
6. Configure SSL Enabled Virtual Hosts
Now, you have to modify your virtual host file as follows and save it.
SSLEngine on
SSLCertificateFile /usr/local/apache/conf/ssl.crt/server.crt
SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/server.key
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
7. Restart Apache and Test the SSL Certificate
Finally, to complete the process, you have to restart your Apache server and test the SSL version of your website. If you are able to access the HTTPS version of your site, you have successfully installed a self-signed SSL certificate on your website or web server.
/etc/init.d/httpd stop
/etc/init.d/httpd stop
https://www.techquintal.com
You just installed an SSL on your website. If you find the HTTPS version of your site is working fine, it is good. But what about the HTTP version? Is it really redirecting you to the HTTPS version or simply makes a duplicate of the website? If it is not redirecting properly, follow the instructions in our guide on HTTP to HTTPS redirection.
For your knowledge, generating the self-signed SSLs are fine. But in some browsers, the certificate may not get recognized as valid. This is because the certificate authority (you) are not a trusted authority for signing a certificate. If you find the certificate showing a warning in the browsers, we recommend going for a free SSL. Services like Let’s Encrypt is recognized by numerous giants in the internet world. The sponsor list includes Google Chrome, Mozilla, Shopify, Facebook, etc.