8.5. Creating a Self-Signed SSL Certificate

Problem

You need to create a secure web site, but don't want—or need—to pay for an SSL certificate generated by a third party.

Solution

Generate your own self-signed certificate and install it on your web server:

  1. Create a certificate authority key:

    	openssl genrsa -des3 -out ca.key 1024

  2. Create a self-signed certificate authority certificate:

    	openssl req -new -x509 -days 365 -key ca.key -out ca.crt

  3. Generate two private web server keys:

    	openssl genrsa -des3 -out web server.key 1024
	openssl rsa -in web server.key -out web server.nopassword.key

  4. Generate a certificate request:

    	openssl req -new -key web server.key -out web server.csr

  5. Sign the certificate request:

    	openssl x509 -req -days 365 -in web server.csr
	             -CA ca.crt -CAkey ca.key -signkey web server.key
	             -set_serial 01 -out web server.crt

  6. Create an SSL configuration file.

  7. Enable SSL on the web server.

Discussion

A SSL certificate is a must-have for any online enterprise that asks its visitors to submit confidential information, such as credit card or Social Security numbers, through forms on its web site. When combined with an SSL-enabled web server, a certificate signed by a third-party certificate authority assures visitors that the personal information they are sharing will be sent to the company or organization operating the web site over an encrypted connection.

But SSL certificates are not cheap, and they must be renewed every year or two. The cost may seem high for what typically amounts to just ...

Get Web Site Cookbook now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial