How to create Self Signed Certificate on Linux Machine?

Self Signed Certificate on Linux

Overview

In this article, I am going to demonstrate the procedure to create self signed certificate on a Linux machine. You may find lots of articles on creating a Self-signed certificate. But I will explain you little more about SSL certificate which will help you to understand the actual use of Self-Signed Certificate.

I am dividing this article into some parts or points which will be easily able to understand and remember. When next time you will configure SSL you don't need to go through any article. You will be able to do it by yourself.

Below are the points we will go through to understand the procedure to create Self Signed Certificate.

1. About SSL Certificate
2. What is Self Signed Certificate?
3. When a self-signed certificate should and shouldn't be used?
4. Steps to Create Self Signed Certificate
5. Configure Self-Signed with Apache

Let's understand the steps with deep information.

1. About SSL Certificate

SSL stands for Secure Socket Layer.

SSL is basically used to encrypt the site information and make a secure connection. It is maintaining encrypted link or secure way of connection between a Server and Client.

SSL helps to maintain or allow sensitive information like Credit Card nos., Usernames, Passwords, emails etc.

SSL will not allow or stop hackers to stolen important information from websites. It will provide a guarantee to customers that the important data will be safe with or because of SSL.

2. What is Self-Signed SSL Certificate?

We just see the information about SSL Certificate. Now understand about the Self-signed SSL certificate.
Self-Signed Certificate is basically a certificate which is created or signed by a person with local encryption technique.

This type of certificate is not a tested or approved by trusted certificate authority. Self Signed certificates are not used on live websites.
If any one of the people using self-signed then customers will get the message "The Site Security Certificate not Trusted!".

No one is using a Self-signed certificate on live sites.

ssl1

3. When should a self-signed certificate and shouldn't be used?

The self-signed certificate should not be used on Live websites like where website using credit cards info, username, passwords etc. if you used it then you are site going under risk of hack information. Hackers will steal or tampered the important information from your website. Also, you are customers will see the error message while accessing your site. Customers will not go to provide any sensitive information with the non-trusted site. It will definitely harm your business. So don't use any kind of Self-signed certificate on your live website.

Self-signed certificate is basically used on a development server where developer's need to test or develop some functionality or application. You no need to pay for trusted certificate when you want to implement it on local or development server. This is the main importance of self-signed certificate.

If you want to buy and implement trusted SSL certificate then go through below links. it will provide you complete steps to implement trusted certificate.


READ : 5 easy steps to purchase SSL on Godaddy
READ : SSL Configuration on Linux with Nginx


4. Steps to create Self Signed Certificate

Now we are going to understand the process to create a self signed the certificate on a linux machine. Here I have using "Linux mint" to implement self-signed certificate. You can use same steps to implement it on other Linux distros as well.

1. Install OpenSSL Command

Before start with the creation of self-signed make sure you have "openSSL" command installed on your Linux system.

Most of the distros come with by default OpenSSL command installed. But if your system doesn't have OpenSSL command then use below command to install OpenSSL.

$ apt-get update
$ apt-get install openssl

2. Create Self Signed Certificate

Follow below Three simple commands to create a certificate.

$ mkdir -p /etc/apache2/SSL
$ cd /etc/apache2/SSL

Generate Self-signed key

$ openssl genrsa -des3 -out self-signed.key 2048  #create a certificate with a passphrase

Generating RSA private key, 2048 bit long modulus
..................................................+++
..................................+++
e is 65537 (0x10001)
Enter pass phrase for self-signed.key:
Verifying - Enter pass phrase for self-signed.key:

Note: Make sure you will not forget the passphrase otherwise you will not able to reload/restart apache.

$ openssl genrsa -out self-signed.key 2048 #Create certificate without a passphrase

Generating RSA private key, 2048 bit long modulus
.....................................................+++
................................+++
e is 65537 (0x10001)

Generate CSR [Certificate Signed Request]

$ openssl req -new -key self-signed.key -out self-signed.csr

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields, there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:MAHARASHTRA
Locality Name (eg, city) []:MUMBAI
Organization Name (eg, company) [Internet Widgits Pty Ltd]:techthings
Organizational Unit Name (eg, section) []:technical
Common Name (e.g. server FQDN or YOUR name) []:www.techthings.org
Email Address []:test@techthings.org

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: Enter
An optional company name []: Enter

Generate Self-Signed Certificate

$ openssl x509 -req -days 365 -in self-signed.csr -signkey self-signed.key -out self-signed.crt

Signature ok
subject=/C=IN/ST=MAHARASHATRA/L=MUMBAI/O=techthings/OU=technical/CN=www.techthings.org/emailAddress=test@techthings.org
Getting Private key
$ ls -l

-rw-r--r-- 1 root root 1354 Oct 16 13:39 self-signed.crt
-rw-r--r-- 1 root root 1082 Oct 16 13:38 self-signed.csr
-rw-r--r-- 1 root root 1679 Oct 16 13:35 self-signed.key

Self Signed certificate is now ready to use with apache server. Let's see the configuration of the Self-signed certificate with Apache.

5. Configure Self-Signed with Apache

Now use created SSL certificate with Apache server with a simple step. You need to create virtualHost for 443 port. 443 port is used for https connections.
Open the Virtualhost file and create new .conf file for 443 virtualhost.

Before adding SSL conf and enable "SSL" mode with below command.

$ a2enmod ssl
ssl4
vim /etc/apache2/conf-available/site-https.conf

Once you add virtualhost check conf and restart the apache with below commands,

$ apache2ctl -t
$ service apache2 restart

Now open a browser and hit the domain name or IP of your system in the address bar. Check below screenshot for more understanding.

ssl2
ssl3

I hope you like the article if you find any difficulties in creating Self Signed Certificate on Linux then please do comment your queries or problem via the comment section, till then stay tuned to techthings.org for more such valuable articles.

To learn more about SSL commands, check below link.

READ : Important SSL Commands SysAdmin Should Know

Latest Comments
  1. Namesh March 9, 2017

Leave a Reply

Your email address will not be published. Required fields are marked *