How do I create a self-signed SSL certificate?

Solution 1:

Ubuntu, even the 'minimal' flavour, comes with the ssl-cert package pre-installed, which means you don't need to do anything.

The files you're looking for are already on your system:

/etc/ssl/certs/ssl-cert-snakeoil.pem
/etc/ssl/private/ssl-cert-snakeoil.key


Advanced:

If for some reason you need to create a fresh certificate, you can run

sudo make-ssl-cert generate-default-snakeoil --force-overwrite 

If you want to change the expiration date of you certificate, you can manipulate the make-ssl-cert script at /usr/sbin/make-ssl-cert. Around like 124 there's a line similar to this:

openssl req -config $TMPFILE -new -x509 -nodes \ 

Where you can change the expiration date by adding the -days argument:

openssl req -config $TMPFILE -new -days 365 -x509 -nodes \ 

More options can be found in the manual page of req.

Solution 2:

As already mentioned, Ubuntu Server comes with the necessary tools. Depending on your server version you'll have to look up the specific documentation. I'll try to summarize the self-signed certificate generation process of the current LTS (12.04).

First you generate the keys for the Certificate Signing Request (CSR):

openssl genrsa -des3 -out server.key 2048

It's up to you to enter a passphrase or not. If you do, everytime you (re)start a service usign that certificate, you'll have to provide the passphrase. Otoh you can create an "insecure" key without a passphrase from the secure one:

openssl rsa -in server.key -out server.key.insecure
# shuffle the key names to continue without passphrases
mv server.key server.key.secure
mv server.key.insecure server.key

And now you'll create the CSR from the key. With the CSR and the key a self-signed certificate can be generated:

openssl req -new -key server.key -out server.csr
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

The last step consists of installing the certificate and the key, in Debian/Ubuntu usually in /etc/ssl:

sudo cp server.crt /etc/ssl/certs
sudo cp server.key /etc/ssl/private

And finally the applications using the certificate/key have to be configured accordingly.