How do I create a self-signed SSL certificate?
Solution 1:
Ubuntu, even the 'minimal' flavour, comes with the ssl-cert
package pre-installed, which means you don't need to do anything.
The files you're looking for are already on your system:
/etc/ssl/certs/ssl-cert-snakeoil.pem
/etc/ssl/private/ssl-cert-snakeoil.key
Advanced:
If for some reason you need to create a fresh certificate, you can run
sudo make-ssl-cert generate-default-snakeoil --force-overwrite
If you want to change the expiration date of you certificate, you can manipulate the make-ssl-cert script at /usr/sbin/make-ssl-cert
. Around like 124 there's a line similar to this:
openssl req -config $TMPFILE -new -x509 -nodes \
Where you can change the expiration date by adding the -days
argument:
openssl req -config $TMPFILE -new -days 365 -x509 -nodes \
More options can be found in the manual page of req
.
Solution 2:
As already mentioned, Ubuntu Server comes with the necessary tools. Depending on your server version you'll have to look up the specific documentation. I'll try to summarize the self-signed certificate generation process of the current LTS (12.04).
First you generate the keys for the Certificate Signing Request (CSR):
openssl genrsa -des3 -out server.key 2048
It's up to you to enter a passphrase or not. If you do, everytime you (re)start a service usign that certificate, you'll have to provide the passphrase. Otoh you can create an "insecure" key without a passphrase from the secure one:
openssl rsa -in server.key -out server.key.insecure
# shuffle the key names to continue without passphrases
mv server.key server.key.secure
mv server.key.insecure server.key
And now you'll create the CSR from the key. With the CSR and the key a self-signed certificate can be generated:
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
The last step consists of installing the certificate and the key, in Debian/Ubuntu usually in /etc/ssl
:
sudo cp server.crt /etc/ssl/certs
sudo cp server.key /etc/ssl/private
And finally the applications using the certificate/key have to be configured accordingly.