Here’s a quick tip on creating self-signed SSL certificates on Ubuntu 17.04 | 17.10. Self-signed certs are those are are primarily used in test environments or within a company’s infrastructure.
Self signed certificates are created, validated by the creator. No third-parties are involved to validate that the certificates are trusted and validated independantly. These certificates are different from public certificates in that the public certs are trusted and validated by an independent entity.
So, the creator of the certificates is not the one who validates it. That’s why they’re called self-signed certificates.
This brief tutorial is going to show students and new users how to create these certificates on Ubuntu systems.
To create a self-signed certificate on Ubuntu systems, follow the steps below
Step 1: Create a RSA Private Key
When creating a self-signed certificate, you must first create a private key. This key should stay private and stored on the server and not shared. The private key is used to then create a public certificate that you can share.
To create a private key, run the commands below
sudo bash cd /etc/ssl/private openssl genrsa -aes128 -out server.key 2048
When creating a private key, you will be prompted to create and confirm and password or passphrase. However, it’s best to create a key without a passphrase. To remove the passphrase from the key you just created, run the commands below.
openssl rsa -in server.key -out server.key
Step 2: Create a Certificate Signing Request
After creating the private key, run the commands below to create a certificate signing request using the server private key. Certificate signing request or CSR is used to provide some details of the entity and the resource you want to incorporate into the request.
To create a CSR, run the commands below
openssl req -new -days 365 -key server.key -out server.csr
When you run the above commands, you should be prompted with the questions below to incorporate into the certificate. Answer the highlighted lines as shown below.
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:New York Locality Name (eg, city) :Brooklyn Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Business Organizational Unit Name (eg, section) : Common Name (e.g. server FQDN or YOUR name) :mybusiness.com Email Address : Please enter the following 'extra' attributes to be sent with your certificate request A challenge password : LEAVE BLANK An optional company name :
When you’re done above, continue below to create a public SSL certificate.
Step 3: Create a Self-Signed Certificate
Now that the Private key and CSR are create, run the commands below to create a self-signed SSL certificate called server.crt that will be valid for 365 days.
openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 365
Next run the commands below to protect the certificate.
chmod 400 server.*
To use the certificate you’ll need to combine the server key and the public certificate into the configuration file of your applications.
You may also like the post below: