How to create a Self-Signed SSL Certificate

What is SSL?

SSL or Secure Sockets Layer is a standard technology behind establishing an encrypted connection between a web server (host) and a web browser (client). This connection between the two makes sure that all the data passed between them remain private and intrinsic. Any computer in between you and the server can see your credit card numbers, usernames and passwords, and other sensitive information if it is not encrypted with an SSL certificate. When an SSL certificate is used, the information becomes unreadable to everyone except for the server you are sending the information to.

Why Self-Signed SSL?

A Self-Signed certificate is similar to the certificate provided by CA(Certificate Authorities) except it being signed by yourself, but we are still using SSL, so we use encryption and we are defeating passive attackers: someone who wants to see our secrets will have to commit visibly to the effort, by mounting a fake server or a man in the middle attack.

On the client side, you can use “direct trust”, i.e. specifically instructing your browser to trust the specific server’s certificate. The first connection to the server is vulnerable to a MitM(man in the middle attack), but afterward, you are protected.

In many situations, SSL with a self-signed certificate is much better than no SSL at all. But definitely, “better” and “good” are not the same thing

Let’s try creating a Sample SSL certificate.

We can create SSL certificate through different approaches explained here.

Approach 1:

[########## courtesy : Digitalocean – How to create a SSL certificate on apache for ubuntu ##########]

Let’s start off by creating a subdirectory to place the certificate files that we will be making:

mkdir /ssl

Now we have a location to place our key and certificate.

We can create them both in a single step:

OpenSSL req -x509 -nodes -days 365 -newkey rsa:2048 -keyout your_domain.key -out your_domain.crt

In the above command

openssl : This is the basic command line tool provided by OpenSSL to manage SSL
req : This specifies a subcommand for X.509 certificate signing request (CSR) management.
-x509 : This option specifies that we want to make a self-signed certificate file instead of generating a certificate request.
-nodes : This option tells OpenSSL that we do not wish to secure our key file with a passphrase.
-days 365 : This specifies the validity of our certificate
-newkey rsa:2048 : The rsa:2048 tells OpenSSL to generate an RSA key that is 2048 bits long.
-keyout : This parameter names the output file for the private key file that is being created.
-out : This option names the output file for the certificate that we are generating.

On running the command, we will be asked to provide the following details

Country Name (2 letter code) [AU]:YOUR_COUNTRY_CODE
State or Province Name (full name) [Some-State]:YOUR_STATE
Locality Name (e.g., city) []:YOUR_CITY
Organization Name (e.g., company) [Internet Widgits Pty Ltd]:YOUR_COMPANY
Organizational Unit Name (e.g., section) []:YOUR_INDUSTRY_UNIT
Common Name (e.g. server FQDN or YOUR name) []:YOUR_DOMAIN
Email Address []:YOUR_EMAIL

Upon failing the above details, it will generate a “key” file and “crt” file which is build based on the information you provided.

You can upload the files to your server and restart it to apply the changes.

If you hit your URL with “https”, you will get a warning that your browser cannot verify the identity of your server because it has not been signed by one of the certificate authorities that it trusts.

As said earlier, we can use “direct trust”, i.e. specifically instructing your browser to trust the specific server’s certificate

Approach 2:

Now, let’s try the other approach.

[########## courtesy : thegeekstuff.com – linux apache mod ssl generate key csr crt file  ##########]

Generate the “private key” by running the following command

$ openssl genrsa -des3 -out server.com.key 1024

On executing the above command, we would be asked for passphrase as shown below

Generating RSA private key, 1024 bit long modulus
…….++++++
…………………………… ………………………………………. ……………………………. ………….++++++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying – Enter pass phrase for server.key:

Remember the passphrase, that you give in the above step.

Now it’s time to create our “CSR (Certificate Signing Request)” file by using the key file which we have generated in the previous step.

$ openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:<PASSWORD_OF_SECRET.KEY>
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields, there will be a default value,
If you enter ‘.’, the field will be left blank.
———

Country Name (2 letter code) [AU]:YOUR_COUNTRY_CODE
State or Province Name (full name) [Some-State]:YOUR_STATE
Locality Name (e.g., city) []:YOUR_CITY
Organization Name (e.g., company) [Internet Widgits Pty Ltd]:YOUR_COMPANY
Organizational Unit Name (e.g., section) []:YOUR_INDUSTRY_UNIT
Common Name (e.g. server FQDN or YOUR name) []:YOUR_DOMAIN
Email Address []:YOUR_EMAIL

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:<NEW_PASSWORD>
An optional company name []:

Let’s cook the Self-Signed SSL certificate

Now let’s create the sample certificate with 365 days validity.

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Signature ok
subject=/C=IN/ST=Tamil Nadu/L=Karur/O=Mallow/OU=IT/CN= *.mallow-tech.com/emailAddress=dev@mallow-tech.com
Getting Private key
Enter pass phrase for server.key:<PASSWORD_OF_SECRET.KEY>

Screen Shot 2015-12-08 at 1.01.23 PM

Screen Shot 2015-12-08 at 1.00.41 PM

In this post, we have seen in detail about the ways to create a self-signed SSL certificate. Having a secure connection is essential for a business to sustain and avoid any threats. Having a self-signed SSL certificate will help in achieving the feat.

Surender T,
ROR Team,
Mallow Technologies.

Leave a Reply

%d bloggers like this: