Previous topic

Creating your own CA certificate

Next topic

Installing Mail on Ubuntu

This Page

Creating Self-signed Server CertificatesΒΆ

This describes how to make HTTPS work on an Apache server. Ubuntu is assumed here.

Generate a private key:

openssl genrsa -des3 -out server.key 4096

It will ask for a pass-phrase to protect this key. Save the encrypted server key in a copy of this file:

cp server.key server.key.secure

Generate a Certificate Signing Request (CSR):

openssl req -new -key server.key -out server.csr

Answer the questions that the script asks. Note that for Common Name (CN) field you should enter the FQDN for the server that you’re creating the request for.

This CSR can be sent to a CA for signing after they’ve established your identity.

Either:

  1. Sign the CSR with your private key to produce the SSL cert:

    openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

    For a self-signed certificate, carry on without getting it counter-signed.

  2. Sign the server cert with a CA key that you created:

    openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt

    Note the serial number. When the time expires for this CA cert or this server cert, it’s a good thing to increase the serial number when the cert is being regenerated.

    The above command line sets the validity of the cert for one year.

Remove the pass-phrase from your Private Key. This is needed because Apache needs to be able to read the private key to encrypt data:

openssl rsa -in server.key.secure -out server.key

Change the permission on these files so only root can see them:

chmod 400 server.*

Now install this lot into Apache:

mkdir /etc/apache2/ssl
cp server.key /etc/apache2/ssl/my_domain_com.key
cp server.key.secure /etc/apache2/ssl/my_domain_com.key.secure
cp server.csr /etc/apache2/ssl/my_domain_com.csr
cp server.crt /etc/apache2/ssl/my_domain_com.crt

Now these are secured, back them up to somewhere very secure (like an USB stick that is kept secure), and then delete the local server.* copies.

Edit the apache config to create the virtual host:

<VirtualHost *:443>
  ServerName  my.domain.com

  ...

  SSLEngine On
  SSLCertificateFile /etc/apache2/ssl/my_domain_com.crt
  SSLCertificateKeyFile /etc/apache2/ssl/my_domain_com.key

</VirtualHost>