How to Create Self-Signed SSL Certificates (Part 2)

In the first part of this series I showed how to create a Root Certificate that you can use to sign your own certificates and deploy to your users to allow you to quickly and cheaply secure internal websites or applications that use SSL without having to pay for the often costly commercial SSL certificates.

In this part I will show how to generate a Certificate Signing Request and then use your new Root Certificate to create a Self-Signed SSL certificate that you can then install into your webserver.

Once again I will be using Cygwin and OpenSSL to generate the certificates so if you haven’t already got it installed check out my Cygwin Install Guide.

Now that we have successfully created a new Root Certificate we can start using this to sign our own certificates (if you don’t yet have a Root Certificate make sure you go back and read the instructions in Part 1 of this series).

The first step we need to take is to create a Private Key that will be used during the certificate signing process and again when we install the SSL certificate for use in a website or application.

Open a Cygwin shell prompt and run the following command:

openssl genrsa -des3 -out server.key.secure 4096

Now that we have a Private Key we can use this to generate the Certificate Signing Request, this would normally be the file that we would send to Certificate Authority to generate our Certificate however as we are our own CA here we will fulfil our own request.

openssl req -new -key server.key.secure -out server.csr

This will ask for the password for your private key that you set earlier as well as various details, when asked for the Common Name (CN), enter the domain name that the SSL certificate will be used for (you can also enter the IP address of the server instead).

Now we have a CSR we can use the Root Certificate that we created in Part 1 of this series to generate a signed SSL certificate.

openssl ca -in /etc/ssl/certs/server.csr

This will ask you to confirm the passphrase for the Root Certificate (not the Private Key we setup earlier), and, if successful will as you whether you want to sign the certificate and the if you want to commit the certificate to the database, say yes to both and you should be able to find a new file in the newcerts folder inside /etc /ssl.

This file will probably be called 01.pem (or a different number), and this is your SSL Certificate.

There is one more thing we need to do before it can be deployed, if we tried to use this with the Private key we created earlier and installed them into a webserver such as Apache, each time Apache started we would be asked to confirm our Private key passphrase, obviously this is not an ideal situation as it could easily leave you with a webserver that is sat waiting for your input or if you tried to work around it by putting your passphrase into a config file so Apache uses it automatically, a very insecure server.

The solution here is to take your Private key and create an insecure version of it, this will allow Apache (or any other webserver), to load your SSL certificate without needing the passphrase. The downside to this is that anyone who gets a copy of your insecure key can use it to impersonate your SSL certificate therefore it is very important to secure the folder that it is stored in!

To generate the insecure version of your Private Key run the following command:

openssl rsa -in server.key.secure -out server.key.insecure

In the final part of this series I will explain how to take the new certificates and deploy them to both Apache and IIS and show you how to distribute the Root certificate to your users so that they dont receive any warnings about insecure certificates.