If you need to test an https connection but don't want to pay for the Certifiate Authority (CA) to sign your certificate, you can sign it yourself. Web browsers will report self-signed certificates as suspicious, so don't use them when you need a real certificate.
Difficulty: Hard
Time Required: 30 minutes
Here's How:
- Su to root and create a directory that only the root account has access to.
su -
mkdir certificates
chmod 700 certificates
cd certificates - Use openssl to generate a server key
openssl genrsa -des3 -out server.key 4096 - Openssl will request a pass phrase. Type in a sentence that is long and complex but that you can remember (you'll have to type it at least twice). Try to make it at least 40 characters long, with punctuation and capital and lowercase letters. The more different characters you use the better.
- Then create the certificate signing request with the server key you created in step 2.
openssl req -new -key server.key -out server.csr - Sign your certificate using SSL.
You can set your certificate for any number of days, but I recommend 365 so that you remember to update it once a year.openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt - Once you're done, you'll have the following files:
- server.crt: The self-signed server certificate
- server.csr: Server certificate signing request
- server.key: The private server key, does not require a password when starting Apache
- Place those files where they are required for your Web server, and turn on HTTPS. (If you don't know how, contact your server administrator.)
