Create self-signed SSL certificate in Ubuntu

What is SSL Certificate?
SSL is an acronym for Secure Sockets Layer. SSL Certificates are small data files that digitally bind a cryptographic key to an organisation’s details. It creates an encrypted connection between your web server and your visitor’s browser, allowing for private information to be transmitted without the problems of eavesdropping, data tampering, or message forgery. When SSL gets install on web server, it activates the padlock and the https protocol (over port 443).

What is Self-signed SSL Certificate?
Organisation needs to buy SSL certificate from trusted hosting companies and its prices are very high. So, for development and testing purpose organisation can use self-signed SSL certificates. This self-signed SSL are certificates which get locally create on web server where it needs for testing of new SSL implementation. It is an identity certificate signed by its own creator; however, they are considered to be less trustworthy.This temporary certificate generates an error in the client browser to the effect that the signing certificate authority is unknown and not trusted because it’s not signed by any known trusted CA authority.

SSL Certificate Files: SSL certificate needs .key and .crt files. This files represent both parts of a certificate, .key is a private and .crt is a public part of certificate that means key being the private key to the certificate and crt being the signed certificate.

How to create Self-Signed SSL certificate in Ubuntu?
The openssl library is required to generate self-signed SSL certificate in Ubuntu. Open terminal and become root first . Now check if you already have openssl installed. Use following command for it:

$ which openssl

If above command returns path like /usr/bin/openssl , that means your system has openssl. But if it does not return any path then you will need to install openssl yourself. Use following command to install openssl:

$ apt-get install openssl

After installing openssl, private key (.key file) and signed certificate (.crt file) is required for SSL certificate. We need to store .key and .crt files in a single folder.

$ mkdir /etc/ssl/self-signed && cd /etc/ssl/self-signed

Above commands create self-signed folder on /etc/ssl path. Following are simple four steps which will guide you to create self-signed SSL certificate for your web server.
Step 1 : Create a Private Key
The first step is to create your RSA Private Key. This key will be 1024 bit RSA key which will be encrypted using Triple-DES and will be store in a PEM format so that it will be readable as ASCII text. Command to create RSA key:

$ openssl genrsa -des3 -out server.key 1024

Edited: Due to the increasing computing power available to decrypt SSL certificates, the Certificate Authority Browser (CAB) Forum (the entity that establishes SSL industry standards) requires that all SSL certificates issued after Jan. 1, 2014, use at least 2048-bit keys. SSL certificates that use 1024-bit keys are no longer secure. Command to create 2048 bit RSA key:

$ openssl genrsa -des3 -out server.key 2048

Step 2 : Remove pass-phrase from key
One side-effect of private key is that, Apache always ask for pass-phrase when web server gets start. But we can remove this pass-phrase restriction using following command:

$ openssl rsa -in server.key -out server.key.insecure

Now rename files:

$ mv server.key && mv server.key.insecure server.key

Step 3 : Generate a CSR (Certificate Signing Request)
Once private key is generated and pass-phrase restriction is removed, you should generate certificate signing request(CSR). During CSR generation, you will get prompted for different information which are the certificates attribute. Please note when you will get prompt for “Common Name”, you should enter complete name of your domain. For example if request is getting generate for then please enter as a common name. So this domain name will get protected with SSL like : Use following command for CSR generation:

$ openssl req -new -key server.key -out server.csr

Step 4 : Generate Self-Signed SSL Certificate
Use following command to generate self-signed certificate:

$ openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

This certificate can get use for 365 days.
Using above simple four steps you can successfully create self-signed SSL certificate. You can use the filesserver.key and server.crt which are located in /etc/ssl/self-signed into your code or in any programming language to implement SSL or HTTPS connection with your web application.


My Name is Dileep Singh, Noder, Javascript Lover & NoSql Developer, Fitness Freak, Love to travel new places, learning photography & Music Manic ♯ ♩ ♬

Posted in Node.Js Tagged with: , ,