Categories: Internet

How to Create a Self-Signed SSL Certificate

We all know that the encryption between the web servers and the receiver plays a huge role in providing a risk-free web environment. The SSL utilizes asymmetric cryptography or also known as the public key cryptography (PKI) to encrypt the connection. For this, the certificate authority or CA has so provide a valid certificate which confirms the users is verified. But do you know that you can self-sign a certificate and create one for your personal usage? If you want to learn more, continue reading this article.

Today we are going to generate a self-signed SSL certificate by utilizing the OpenSSL commands. OpenSSL commands are extremely useful for completing complicated tasks within a matter of seconds. We wrote a complete article on the OpenSSL commands in the recent days. Check it out to get a better idea about the OpenSSL and its commands. For the creation of self-signed certificates too, the steps are almost easy if you followed them carefully. Nothing to worry in between. So, let’s look into the procedure to create a self-signed SSL certificate.

Steps to Create a Self-Signed SSL Certificate

Below we listed the step by step tutorial on creating self-signed SSL certificates. Follow each one of the carefully in order to complete the process successfully. make sure that each one of the commands entered is correct and has no typos in between.

1. Generate a Private Key

To begin the self-signed certificate generation process, you have to generate a RSA Private Key. For this, you could utilize the following command which will generate an RSA key with the triple DES protection and 1024-bit encryption. The file will be generated in a PEM format for the further usage.

openssl genrsa -des3 -out server.key 1024

Running the above command will bring this.

Generating RSA private key, 1024 bit long modulus
e is 65537 (0x10001)
Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:

2. Generate a Certificate Signing Request (CSR)

Now, you have a private key. It is the time to generate CSR using the commands. The CSR can be used either for sending to the certificate authority for the self-signing purpose. As we are creating a self-signed SSL, use the following command.

openssl req -new -key server.key -out server.csr

The result will look something like this.

Country Name (2 letter code) [GB]:IN
State or Province Name (full name) [Berkshire]:Mumbai
Locality Name (eg, city) [Newbury]:Mumbai
Organization Name (eg, company) [My Company Ltd]:Tech Qunital Ltd
Organizational Unit Name (eg, section) []:Information Technology
Common Name (eg, your name or your server's hostname) []
Email Address []:admin at techquintal dot com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

As you can see, it will ask a lot of information regarding you and the company. Provide all of them before proceeding. Also, make sure that all the provided information are correct.

3. Remove Passphrase from Key

Apache servers may need to verify the key and the password each time it restarts. This might be unlikely because someone has to enter it each time after a crash or server restart. To avoid this, removing the passphrase from the key will be helpful. But doing so will increase the possibility of being hacked by the spammers. But not that much. As per numerous authorities, it is almost safe to remove the passphrase for avoiding the difficulties. Use the following commands to do so.

cp server.key
openssl rsa -in -out server.key

It will result in something like this one.

-rw-r--r-- 1 root root 745 Feb 19 11:19 server.csr
-rw-r--r-- 1 root root 891 Feb 19 12:21 server.key
-rw-r--r-- 1 root root 963 Feb 19 12:21

4. Generate a Self-Signed Certificate

Here comes the real step of creating a self-signed SSL certificate. To generate a self-signed certificate, use this command. It will generate a self signed certificate valid for the next 365 days. You may change the validity as per your requirements. The renewals of most of the SSLs done on a yearly basis. So, it is recommended to go with this as an industrial standard.

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

The result screen might be something like this which include all the input information added to the certificate.

Signature ok
subject=/C=IN/ST=Mumbai/L=Mumbai/O=Tech Quintal Ltd/OU=Information
Technology/ at techquintal dot com
Getting Private key

5. Install the Private Key and Certificate

During the process, the server will create several folders and put the files in the corresponding sections. It may vary from system to system based on the version of OS it is running. It might be something like this.

cp server.crt /usr/local/apache/conf/ssl.crt
cp server.key /usr/local/apache/conf/ssl.key

6. Configure SSL Enabled Virtual Hosts

Now, you have to modify your virtual host file as follows and save it.

SSLEngine on
SSLCertificateFile /usr/local/apache/conf/ssl.crt/server.crt
SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/server.key
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
CustomLog logs/ssl_request_log \
   "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

7. Restart Apache and Test the SSL Certificate

Finally, to complete the process, you have to restart your Apache server and test the SSL version of your website. If you are able to access the HTTPS version of your site, you have successfully installed a self-signed SSL certificate on your website or web server.

/etc/init.d/httpd stop
/etc/init.d/httpd stop

You just installed an SSL on your website. If you find the HTTPS version of your site is working fine, it is good. But what about the HTTP version? Is it really redirecting you to the HTTPS version or simply makes a duplicate of the website? If it is not redirecting properly, follow the instructions in our guide on HTTP to HTTPS redirection.

For you knowledge, generating the self-signed SSLs are fine. But in some browsers, the certificate may not get recognized as valid. This is because the certificate authority (you) are not a trusted authority for signing a certificate. If you find the certificate showing a warning in the browsers, we recommend going for a free SSL. The services like Let’s Encrypt is recognized by numerous giants in the internet world. The sponsor list includes Google Chrome, Mozilla, Shopify, Facebook, etc.

Muhammed Swalih

A simple guy who loves Blogging, SEO, Graphic Designing, etc. By the way, he likes to read a lot and acquire knowledge from various sources online.

Published by
Tags: SSL

Recent Posts

  • Best

10 Great Career Options for Photographers

You’ve got an eye for imagery, a passion for design, and the ability to capture individuals and landscapes at their…

1 day ago
  • Best

10 Best WordPress Alternatives

Creating a website for your brand, band, company, or a portfolio for yourself has never been easier. In the past,…

3 weeks ago
  • Best

10 Best Software for Animation

When it comes to the content creation, making your own animation for a particular model might be one of the…

7 months ago
  • Best

10 Best Software for Editing Photos

Are you interested in photography, or have seen a photo that's just plain amazing? Do you wonder how they do…

11 months ago
  • Best

10 Best Screen Recorder Software for Windows

Wouldn't it be great if we could somehow record our screen or gameplay and keep it for ourselves? Well sure.…

12 months ago
  • Best

10 Best Software for Video Editing

Video editing is a relatively complex process in which the editor uses various software to insert numerous effects and edit…

1 year ago