Ubuntu Gutsy - generating a self signed SSL certificate
Secure connections to your website are vital when entering passwords or entering administration areas.
This article will take you through generating a self-signed certificate to use with https (port 443) connections.
Server Agnostic
This is a standalone article which simply generates a self signed SSL certificate - for instructions on how to set up your server of choice (Apache, Nginx, Litespeed, etc) to use port 443 please refer to the relevant article sections.
Non commercial
Before we go any further I would also point out that self-signed certificates will produce warnings when accessed via an https link.
They are not suitable for commercial sites or any public facing site but are ideal for personal administration areas.
There are many sites that specialise in issuing recognised and guaranteed certificates. A search for 'ssl certificates' in your favourite search engine will provide many links.
SSL directory
There is a 'standard' Ubuntu/Debian location for certificates at /etc/ssl/ which contains folders called 'certs' and 'private'.
You are, of course, free to use any directory but in this article I will use the /etc/ssl/certs directory to store the generated certificate.
This makes it easier to locate the certificates and is not dependant on using a particular server.
Certificate
There are a few different ways of creating self-signed certificates and the method shown here is just one of them.
To start , make sure you have the ssl-cert package installed:
sudo aptitude install ssl-certOnce installed, we can go ahead and create it:
Create
Creating the certificate is as simple as:
sudo make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/ssl/certs/selfsigned.pemYou can name the certificate whatever you like - I have chosen the name 'selfsigned.pem' so as not to tie it to any particular server.
Do ensure the suffix is .pem when you name your certificate.
A simple ncurses dialogue will open asking various questions:
Country:
State:
City:
Organisation:
Section:
Hostname:
Entering the correct domain name will suppress a second warning when you use the certificate.
However, do remember that you can only have one certificate per IP address so you may well have two warnings (shown below) if you then use the certificate on another site.
Email:
I recommend you put a working email address here, especially if the certificate is to be used on a publicly accessed area - it allows users to get in touch should they have any concerns about the certificate.
Done
That's it.
Now we have a self signed certificate located at /etc/ssl/certs/selfsigned.pem ready for use on an HTTPS connection.
Warnings
Just a reminder that self signed certificates will produce one or two warnings similar to these:
Clicking 'OK' will take you to a second warning:
If you accept the certificate, you will then proceed to the site. However, as you can tell, a visitor receiving these warnings on a secure area of a public website will not be too impressed. They are, however, fine for personal use and for an administration area.
Summary
Creating a self signed SSL certificate is very easy with Ubuntu Gutsy. Once done, it can be used on any SSL enabled virtual host.
PickledOnion.
Article Comments:
Andrew commented Tue Feb 05 22:50:03 UTC 2008:
to use a pem file in an apache config:
SSLEngine On SSLCertificateFile /etc/ssl/certs/www.site.com.pem
Daryl commented Fri Mar 21 17:22:54 UTC 2008:
Now if I wanted to apply this to providing imaps and smtps access to mail on the slice ?
Eric Wikman commented Mon Oct 20 14:07:58 UTC 2008:
The default validity for the certificate using this method is 30 days, follow the instructions at: http://devio.wordpress.com/2008/07/16/extending-default-validity-for-self-generated-ssl-certificates/ to adjust the validity to be longer (like 365 days).