How to create a self signed SSL certificate and how to use it with your web Server.

SSL certificate is the foremost important aspect of any website. If your website is running without the SSL, the modern browsers will stop the users from entering the website. Of course, there are ways to bypass that, at your own risk. As long as your website has no commercial data exchange, sensitive user information, etc, you are still good to run a website without a proper SSL certificate. For example, a blog can run without an SSL. 

Note that Google AdSense accepts websites without SSL. 

But the topic of this post is about Self Signed SSL certificate. How to create one, how to use it, and where to use it. 

Let us see where to use it. For any website which is used for internal purposes, it's always a good idea to use Self Signed SSL, instead of paying for a real SSL certificate. Internal I mean, within a company, team, or for personal uses, for testing purposes, etc. 

Now, let us see how to create a self-signed SSL certificate. 

What you need

A Linux machine. 

OpenSSL utility 

Apache2 Web Server with a sample website. 


Let us start...

Install prereqs. 

You need to install the mod_ssl to enable httpd or Apache to work with SSL certificates.  I am using CentOS-based Linux, so I will use the yum package manager utility. 

Perform all the steps as a non-root user with sudo permission. 

sudo yum install mod_ssl


This should install the SSL module for the httpd services. Please note that in CentOS it is called httpd whereas in Ubuntu it is called as Apache2. 

The certificate and key will be created under the default location. 

sudo mkdir -p /etc/ssl/private

sudo mkdir -p /etc/ssl/certs


Create the certificate and the private key 

Use the below OpenSSL command to create both certificate and private key. The one command does create both files. There is no additional step like creating CSR - Certificate Signing Request. Since this is a self-signed certificate, you are not going through the actual process of getting the certificate singed by the CA - Certification Authority. Examples for CA are, Symantec Inc, DigiCert etc. 


sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/host2-selfsigned.key -out /etc/ssl/certs/host2-selfsigned.crt

This will go into an interactive screen. It will prompt various inputs. 

Refer to the below screenshot for the inputs I have provided. 


Please note that the CN - Common Name should match with your domain, hostname or the IP address, as per your httpd settings for the website. In other words. I have used IP address here. 

If the command is successful, it exits from the OpenSSL interactive session. 

Now check the below locations for certificates. 

For ssl certificate check this location /etc/ssl/certs

For private key check this location /etc/ssl/private

ls -ltr /etc/ssl/private/

-rw-r--r--. 1 root root 1704 Jun 12 17:09 host2-selfsigned.key


ls -ltr /etc/ssl/certs/


-rw-r--r--. 1 root root 1419 Jun 12 17:09 host2-selfsigned.crt


Configure the New SSL certificates in the Apache server 

Create a new config file under /etc/httpd/conf.d/ to configure the Virtual Host and SSL certificate details. 

I am creating the file with the IP address of my host. 

sudo vi /etc/httpd/conf.d/152.70.72.193.conf

<VirtualHost *:443>
ServerName 152.70.72.193
DocumentRoot /var/www/html
SSLEngine on
SSLCertificateFile /etc/ssl/certs/host1-selfsigned.crt
SSLCertificateKeyFile /etc/ssl/private/host1-selfsigned.key
</VirtualHost>


Now check the config files are valid by running 

sudo apachectl configtest

You should get Success OK status. This confirms that all your config files are correct. 

Now restart your httpd. 

sudo systemctl restart httpd.service

Now access the web application URL  https://152.70.72.193/  

If you are accessing the URL for the first time after the certificates are installed, then you will be warned by the browser. It clearly says the website uses an invalid certifiacte. 



Once you accept and click on the continue button, page should load properly as shown below




Notice the https and exclamatory mark and it indicates that there is an SSL certificate but it is not trusted by the browser. 

If the site is taking longer and then times out, check if the http version is working. If the http version is working then you to check if the firewalls are disabled for https ports. 

sudo firewall-cmd --add-service=https

If the output of this command is "success" Then it was an issue with the firewall. Now the page should load. 

Inspect the certificate from the browser. 

Click on the lock icon on the address bar, it says the connection is not secure. Click on more information and it shows the details of the certificate. 


If you want to see the certificate, click on the view certificate. 


1 comment:

  1. I’ll immediately clutch your rss feed as I can't in finding your e-mail subscription link or e-newsletter service. Do you've any? Kindly let me recognise in order that I may just subscribe. Thanks.360 player

    ReplyDelete

How to create a self signed SSL certificate and how to use it with your web Server.

SSL certificate is the foremost important aspect of any website. If your website is running without the SSL, the modern browsers will stop t...