self signed https ssl certificate


apache ssl

OpenSSL to create self signed certificate

  1. Edit /etc/ssl/openssl.cnf
    [ CA_default ]
     dir             = ./demoCA
     certs           = $dir/certs
     crl_dir         = $dir/crl
     database        = $dir/index.txt
     #unique_subject = no
     new_certs_dir   = $dir/newcerts

     certificate     = $dir/cacert.pem
     serial          = $dir/serial
     crlnumber       = $dir/crlnumber

     crl             = $dir/crl.pem
     private_key     = $dir/private/cakey.pem
     RANDFILE        = $dir/private/.rand

     x509_extensions = usr_cert
  1. Create directories.
        mkdir /etc/ssl/demoCA
        cd /etc/ssl/demoCA;mkdir newcerts certs crl private
        touch serial index.txt crlnumber crl/ca.crl
        echo 01 | tee serial | tee crlnumber
  1. Becoming a Certification Authority (CA)
        cd /etc/ssl
        openssl genrsa -des3 -out demoCA/private/cakey.pem 4096
        openssl req -new -x509 -days 3650 -key demoCA/private/cakey.pem -out demoCA/cacert.pem
  1. Create Server Certificate
        openssl genrsa -des3 -out demoCA/private/server.key 2048
        openssl req -new -key demoCA/private/server.key -out demoCA/private/server.csr -days 3650
  1. Sign the CSR with our CA CRT
        openssl ca -in demoCA/private/server.csr -out demoCA/certs/server.crt -days 3650
  1. Setup httpd. Edit httpd.conf and uncomment lines
    LoadModule socache_shmcb_module lib64/httpd/modules/mod_socache_shmcb.so
    LoadModule ssl_module lib64/httpd/modules/mod_ssl.so
    Include /etc/httpd/extra/httpd-ssl.conf
  1. Edit extra/httpd-ssl.conf
    SSLCertificateFile /etc/ssl/demoCA/certs/server.crt
    SSLCertificateKeyFile /etc/ssl/demoCA/private/server.key
    SSLCertificateChainFile /etc/ssl/demoCA/certs/server.crt
    SSLCACertificatePath /etc/ssl/demoCA/certs
    SSLCACertificateFile /etc/ssl/demoCA/cacert.pem
    SSLCARevocationPath /etc/ssl/demoCA/crl
    SSLCARevocationFile /etc/ssl/demoCA/crl/ca.crl
  1. Remove pass-phrase on httpd startup
        cd /etc/ssl/demoCA
        mv private/server.key private/server.key.org
        cd private
        openssl rsa -in server.key.org -out server.key
        cd /etc/ssl/demoCA
        chmod 0400 private/*.key
  1. Verify that a private key matches its Certificate
        openssl x509 -noout -modulus -in certs/server.crt | openssl md5 && openssl rsa -noout -modulus -in private/server.key | openssl md5
  1. Client Revokation. This is only needed if your server certificate is compromised (eg. someone hacked your server and stole your server.key)
        openssl ca -gencrl -keyfile private/ca.key -cert certs/cacert.pem -out crl/ca.crl
        openssl ca -revoke certs/server.crt -keyfile private/cakey.pem -cert certs/cacert.pem