Create
self-signed SSL certificate in UbuntuinShare
What is SSL Certificate?
SSL is an acronym for Secure Sockets Layer. SSL
Certificates are small data files that digitally bind a cryptographic key
to an organisation’s details. It creates an encrypted connection between
your web server and your visitor’s browser, allowing for private
information to be transmitted without the problems of eavesdropping, data
tampering, or message forgery. When SSL gets install on web
server, it activates the padlock and the https protocol (over port
443).
What is Self-signed SSL Certificate?
Organisation needs to buy SSL certificate from trusted hosting
companies and its prices are very high. So, for development and testing purpose
organisation can use self-signed SSL certificates. This self-signed SSL are
certificates which get locally create on web server where it needs for
testing of new SSL implementation. It is an identity certificate signed by
its own creator; however, they are considered to be less trustworthy.
This temporary certificate generates an error in the client
browser to the effect that the signing certificate authority is unknown and not
trusted because it’s not signed by any known trusted CA authority.
SSL Certificate Files:
SSL certificate needs .key and .crt files. This files
represent both parts of a certificate, .key is a private and .crt is a public
part of certificate that means key being the private key to the
certificate and crt being the signed certificate.
How to create Self-Signed SSL certificate in Ubuntu?
The openssl library is required to generate self-signed SSL
certificate in Ubuntu. Open terminal and become root first . Now check
if you already have openssl installed. Use following command for it:
|
1
|
$ which openssl
|
If above command returns path like /usr/bin/openssl , that means your system has openssl. But if it does not return
any path then you will need to install openssl yourself. Use following command
to install openssl:
|
1
|
$ apt-get install
openssl
|
After installing openssl, private key (.key file) and signed
certificate (.crt file) is required for SSL certificate. We need to
store .key and .crt files in a single folder.
|
1
|
$ mkdir
/etc/ssl/self-signed && cd /etc/ssl/self-signed
|
Above commands create self-signed folder on /etc/ssl path. Following are
simple four steps which will guide you to create self-signed SSL certificate
for your web server.
Step 1 : Create a Private Key
The first step is to create your RSA Private Key. This key will
be 1024 bit RSA key which will be encrypted using Triple-DES and will be store
in a PEM format so that it will be readable as ASCII text. Command to create
RSA key:
|
1
|
$ openssl genrsa
-des3 -out server.key 1024
|
Edited:
Due to the increasing computing power available to decrypt SSL certificates, the Certificate Authority Browser (CAB) Forum (the entity that establishes SSL industry standards) requires that all SSL certificates issued after Jan. 1, 2014, use at least 2048-bit keys. SSL certificates that use 1024-bit keys are no longer secure. Command to create 2048 bit RSA key:
Due to the increasing computing power available to decrypt SSL certificates, the Certificate Authority Browser (CAB) Forum (the entity that establishes SSL industry standards) requires that all SSL certificates issued after Jan. 1, 2014, use at least 2048-bit keys. SSL certificates that use 1024-bit keys are no longer secure. Command to create 2048 bit RSA key:
|
1
|
$ openssl genrsa
-des3 -out server.key 2048
|
Step 2 : Remove pass-phrase from key
One side-effect of private key is that, Apache always ask for
pass-phrase when web server gets start. But we can remove this pass-phrase
restriction using following command:
|
1
|
$ openssl rsa -in
server.key -out server.key.insecure
|
Now rename files:
|
1
|
$ mv server.key
server.key.secure && mv server.key.insecure server.key
|
Step 3 : Generate a CSR (Certificate Signing Request)
Once private key is generated and pass-phrase restriction is
removed, you should generate certificate signing request(CSR). During CSR
generation, you will get prompted for different information which are the
certificates attribute. Please note when you will get prompt for “Common Name”,
you should enter complete name of your domain. For example if request is
getting generate for shivalibari.com then please enter shivalibari.com as a
common name. So this domain name will get protected with SSL like :
https://shivalibari.com. Use following command for CSR generation:
|
1
|
$ openssl req -new
-key server.key -out server.csr
|
Step 4 : Generate Self-Signed SSL Certificate
Use following command to generate self-signed certificate:
|
1
|
$ openssl x509 -req
-days 365 -in server.csr -signkey server.key -out server.crt
|
This certificate can get use for 365 days.
Using above simple four steps you can successfully create
self-signed SSL certificate. You can use the filesserver.key and server.crt which are located in /etc/ssl/self-signed into your code or
in any programming language to implement SSL or HTTPS connection with your web
application.
No comments:
Post a Comment