Create SSL / TLS Self-Signed Certificates on Ubuntu 16.04 | 18.04 | 18.10

Self-signed certificates are mostly used internally within labs or business environments… and not used externally for commercial use… as they’re not from trusted third-party certificate authorities… Only trusted certificate authorities (CA) can issue SSL/TLS certificates for commercial in the public domains…

If you install a self-signed certificate on a public website or entity, your web browser will prompt you that the resource can’t be trusted.. be the certificate installed isn’t from a trusted third-party… That’s why it’s mostly use internally for testing purposes..

This brief tutorial is going to show students and new users how to create self-signed certificates on Ubuntu systems to use internally or within a lab environment for test purposes…

To create a self-signed certificate on Ubuntu systems, follow the steps below

Step 1: Create a RSA Private Key

When creating a self-signed certificates, you must first create a server¬†private key… This key should stay private and stored on the server and not shared externally… The private key is used to then create a public certificate that you can share with others…

To create a private key, run the commands below

openssl genrsa -aes128 -out server.key 2048

When creating a server private key, you will be prompted to create and confirm and password or passphrase. However, it’s best to create a key without a passphrase. To remove the passphrase from the key you just created, run the commands below.

Generating RSA private key, 2048 bit long modulus
....+++
...................+++
e is 65537 (0x010001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:

Run the commands below to remove the passphrass you entered above… It’s best not to keep the passphrase on the server key…

openssl rsa -in server.key -out server.key

When you’re done, you will have created a private key for the server called server.key.

Step 2: Create a Certificate Signing Request (CRS)

After creating the private key, run the commands below to create a certificate signing request using the server private key. Certificate signing request or CSR is used to provide some details of the entity and the resource you want to incorporate into the request…

To create a CSR request for the domain example.com, run the commands below

openssl req -new -days 365 -key server.key -out example.com.csr

When you run the above commands, you should be prompted with the questions below to incorporate into the certificate. Answer the highlighted lines as shown below.

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:New York
Locality Name (eg, city) []:Brooklyn
Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Business
Organizational Unit Name (eg, section) []:Website
Common Name (e.g. server FQDN or YOUR name) []:example.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: LEAVE BLANK
An optional company name []:

After that, a new certificate request file called example.com.csr should be created with the incorporated deatils above… This file can be used to genenerate SSL/TLS certificate for the domain example.com

Step 3: Create a Self-Signed Certificate

Now that the Private key and CSR are create, run the commands below to create a self-signed SSL certificate called example.com.crt that will be valid for 365 days…

openssl x509 -in example.com.csr -out example.com.crt -req -signkey server.key -days 365

You should then see the texts below:

Signature ok
subject=C = US, ST = New York, L = Brooklyn, O = My Business, OU = IT, CN = example.com, emailAddress = admin@example.com
Getting Private key

That’s it! you have just created a self-signed certificate called example.com.crt…

In fact, you can send the CSR file called example.com.csr to a trusted certificate authority to generate a trusted certificate for your externally used resources….

Enjoy!

You may also like the post below:

Install BackBee CMS on Ubuntu 16.04 / 18.04 / 18.10 with Apache2, MariaDB and PHP 7.2

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.