Occasionally it may be necessary to generate a self-signed SSL certificate. This could be for internal websites, or for other internal uses that may require secure encrypted network transmissions.
Generating a self-signed certificate may be an easy task for the intermediate or senior level admin, however we decided to post this guide for everyone to use, since using the guide as a reference may hopefully be useful to those of you out there 😉
1. Generate an SSL key without a passphrase, enter:
openssl genrsa -out /etc/httpd/ssl/mycorp.com.key 1024
2: Create a self-signed certificate, enter:
openssl req -new -key /etc/httpd/ssl/mycorp.com.key -x509 -out /etc/httpd/ssl/mycorpcom.crt -days 999
Sample output:
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:CA Locality Name (eg, city) []:CA Organization Name (eg, company) [Internet Widgits Pty Ltd]:mycorp, LLC Organizational Unit Name (eg, section) []:Sales Common Name (eg, YOUR name) []: Email Address []:you@mycorp.com
My Sample Apache httpd.conf virtual host file:
DocumentRoot "/var/www/html/ssl_doc_root/" ServerAdmin you@mycorp.com ServerName www.mycorp.com SSLEngine On SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2: +EXP:+eNULL SSLCertificateFile /etc/httpd/ssl/mycorpcom.crt SSLCertificateKeyFile /etc/httpd/ssl/mycorp.com.key SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
3. Restart httpd/Apche:
service httpd restart
Thats it! Test the SSL Cert to ensure it loads fine and reflects the proper values when you examine the properties.
