Oxxus » Tutorials » SSL tutorial » Self-signed SSL certificates
  1. SSL Overview
  2. Digital SSL Certificates
  3. Self Signed SSL Certificates
  4. Trusted CA Authority

Self-signed SSL certificates

An self-signed certificate, created locally at the server where the web site with SSL services support are to be implemented, are locally generated certificates when web site or server owner either don't plan on having certificate signed by a CA, or the certificate is for testing of new SSL implementation.

This temporary certificate will generate an error in the client browser to the effect that the signing certificate authority is unknown and not trusted because it's not signed by any known trusted CA authority.

Any web traffic travels unencrypted over the Internet so anyone can scan and capture it. This can be a major issue especially where security and privacy is necessary, such as in credit card data and bank transactions.

The Secure Socket Layer is used to encrypt the data stream between the web server and the web client (the browser).

SSL makes use of what is known as asymmetric cryptography, commonly referred to as public key cryptography (PKI). With public key cryptography, a pair of keys, public and private are created.

Any traffic encrypted with either key can only be decrypted with its pair corresponding key ensuring that the data only could have come from the server.

Although the SSL are self satisfactory services that encrypts all the data within the session the CA is more like assurance that the web browser's at the right site so the informations that are significant and not to be public displayed are securely transferred.

By having the self-signed certificate which is not signed by third party trusted CA authority, this can be rather a security hole, so the self-signed certificates are always used within the testing period of the applications.

Installation and implementation of self-signed certificate

Private key generation

The openssl toolkit is used to generate an RSA Private Key and CSR (Certificate Signing Request). It can also be used to generate self-signed certificates which can be used for testing purposes or internal usage.

The first step is to create your RSA Private Key. This key is a 1024 bit RSA key which is encrypted using Triple-DES and stored in a PEM format so that it is readable as ASCII text.

$ openssl genrsa -des3 -out server.key 1024 Generating RSA private key, 1024 bit long modulus .........................................................++++++ ........++++++ e is 65537 (0x10001) Enter PEM pass phrase: Verifying password - Enter PEM pass phrase:

(Certificate Signing Request) CSR Generation

With private key generated a Certificate Signing Request can be generated. The CSR is then used in one of two ways. During the generation of the CSR the X.509 attributes of the certificate will be requested.

One of the prompts will be for "Common Name (e.g., YOUR name)". It is important that this field be filled in with the fully qualified domain name of the server to be protected by SSL.

If the website to be protected will be https://www.test.com then the test.com at this prompt should be stated.

In order to generate the CSR use the command stated below (this applies only for the Unix/Linux OS systems):

$ openssl req -new -key server.key -out server.csr Country Name (2 letter code) [Country Code]:Company's HQ country State or Province Name (full name) [Berkshire]:Company's HQ Province Locality Name (eg, city) [Newbury]:Company's HQ City Organization Name (eg, company) [My Company Ltd]:Company name Organizational Unit Name (eg, section) []:Testing purposes Common Name (eg, your name or your server's hostname) []:test.com Email Address []:test@test.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:

Remove Passphrase from Key

Problem with having the pass-phrased private key is that Apache will ask for the pass-phrase each time the web server is started so use the following command to remove the pass-phrase from the key:

$ cp server.key server.key.org $ openssl rsa -in server.key.org -out server.key

The newly created server.key file has no more passphrase in it.

-rw-r--r-- 1 root root 755 Jan 19 14:49 server.csr -rw-r--r-- 1 root root 894 Jan 19 14:42 server.key -rw-r--r-- 1 root root 966 Jan 19 14:45 server.key.org

Generating a Self-Signed Certificate

A self-signed certificate has to be generated now. This temporary certificate will generate an error in the client browser to the effect that the signing certificate authority is unknown and not trusted.

If you are looking for a hosting company which supports self-signed certificates, check out our web hosting options

To generate a temporary certificate with 365 days validity, issue the following command:

$ openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

When Apache with mod_ssl is installed, it creates several directories in the Apache config directory.

The location of this directory will differ depending on how Apache was compiled.

$ cp server.crt /usr/local/apache/conf/ssl.crt $ cp server.key /usr/local/apache/conf/ssl.key

Configuring SSL Enabled Virtual Hosts

SSLEngine on SSLCertificateFile /usr/local/apache/conf/ssl.crt/server.crt SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/server.key SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown CustomLog logs/ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

Restart Apache and Test

$ /etc/init.d/httpd restart

... and access the url https://www.test.com from within any web browser.

Contact sales!