Self-signed certificates are mostly used internally within labs or business environments… and not used externally for commercial use… as they’re not from trusted third-party certificate authorities… Only trusted certificate authorities (CA) can issue SSL/TLS certificates for commercial in the public domains…
If you install a self-signed certificate on a public website or entity, your web browser will prompt you that the resource can’t be trusted.. be the certificate installed isn’t from a trusted third-party… That’s why it’s mostly use internally for testing purposes..
This brief tutorial is going to show students and new users how to create self-signed certificates on Ubuntu systems to use internally or within a lab environment for test purposes…
To create a self-signed certificate on Ubuntu systems, follow the steps below
Step 1: Create a RSA Private Key
When creating a self-signed certificates, you must first create a server private key… This key should stay private and stored on the server and not shared externally… The private key is used to then create a public certificate that you can share with others…
To create a private key, run the commands below
openssl genrsa -aes128 -out server.key 2048
When creating a server private key, you will be prompted to create and confirm and password or passphrase. However, it’s best to create a key without a passphrase. To remove the passphrase from the key you just created, run the commands below.
Generating RSA private key, 2048 bit long modulus ....+++ ...................+++ e is 65537 (0x010001) Enter pass phrase for server.key: Verifying - Enter pass phrase for server.key:
Run the commands below to remove the passphrass you entered above… It’s best not to keep the passphrase on the server key…
openssl rsa -in server.key -out server.key
When you’re done, you will have created a private key for the server called server.key.
Step 2: Create a Certificate Signing Request (CRS)
After creating the private key, run the commands below to create a certificate signing request using the server private key. Certificate signing request or CSR is used to provide some details of the entity and the resource you want to incorporate into the request…
To create a CSR request for the domain example.com, run the commands below
openssl req -new -days 365 -key server.key -out example.com.csr
When you run the above commands, you should be prompted with the questions below to incorporate into the certificate. Answer the highlighted lines as shown below.
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:New York Locality Name (eg, city) :Brooklyn Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Business Organizational Unit Name (eg, section) :Website Common Name (e.g. server FQDN or YOUR name) :example.com Email Address : Please enter the following 'extra' attributes to be sent with your certificate request A challenge password : LEAVE BLANK An optional company name :
After that, a new certificate request file called example.com.csr should be created with the incorporated deatils above… This file can be used to genenerate SSL/TLS certificate for the domain example.com…
Step 3: Create a Self-Signed Certificate
Now that the Private key and CSR are create, run the commands below to create a self-signed SSL certificate called example.com.crt that will be valid for 365 days…
openssl x509 -in example.com.csr -out example.com.crt -req -signkey server.key -days 365
You should then see the texts below:
Signature ok subject=C = US, ST = New York, L = Brooklyn, O = My Business, OU = IT, CN = example.com, emailAddress = [email protected] Getting Private key
That’s it! you have just created a self-signed certificate called example.com.crt…
In fact, you can send the CSR file called example.com.csr to a trusted certificate authority to generate a trusted certificate for your externally used resources….
You may also like the post below: