If you need to test an https connection but don't want to pay for the Certifiate Authority (CA) to sign your certificate, you can sign it yourself. Browsers will report self-signed certificates as suspicious, so don't use them when you need a real certificate.
Difficulty: Hard
Time Required: 30 minutes
Here's How:
- Su to root and create a directory that only the root account has access to.
su -
mkdir certificates
chmod 700 certificates
cd certificates - Use openssl to generate a server key
openssl genrsa -des3 -out server.key 4096
- Openssl will request a pass phrase. Type in a sentence that is long and complex but that you can remember (you'll have to type it at least twice). This will help generate the encryption.
- Then create the certificate signing request with the server key you created in step 2.
openssl req -new -key server.key -out server.csr
- Sign your certificate using SSL.
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
You can set your certificate for any number of days, but I recommend 365 so that you remember to update it once a year. - Once you're done, you'll have the following files:
- server.crt: The self-signed server certificate
- server.csr: Server certificate signing request
- server.key: The private server key, does not require a password when starting Apache
- Place those files where they are required for your Web server, and turn on HTTPS. (If you don't know how, contact your server administrator.)
What You Need:
