Self-signed SSL Certificates

We can create self-signed SSL certificates for use in-house, when setting up Apache or a mailserver. We should always be using HTTPS and encrypted connections whenever we can. You know it makes sense. The majority of the time we can now use SSL certificates from Let’s Encrypt. They are free and once setup trouble free. Sometimes though we need a quick self-signed SSL certificates while testing. This post takes you though how to create self-signed SSL certificates with OpenSSL. It also shows how to create one with multiple alternate names or SANs. Read the SSL documentation, its on the internet :).

This post assumes we are generating the self-signed SSL certificates for web.dragon.lab, with alternative names of mail.dragon.lab and ldap.dragon.lab. These are all services running on the same machine and so it seems reasonable to use the same certificate.

Configuration File

To generate the self-signed SSL certificates we will be using the openssl command from Linux and a config file. The config file, for web.dragon.lab, can be downloaded from here. Just rename it to .conf and save it somewhere safe that you will remember. There are loads of comments in the file to point you in the right direction, but we will run through it any way.

Do not edit the original make a copy, in case you make a mistake :).

Subject Section

You will only need to edit the sections [ subject ] and [alternate_names ], leave the rest of the file alone unless you know what you are doing.

Here is the subject section. The first part is setting the defaults for the question which will be asked. You will most likely want to change the values for the options that end in _default. The key commonName_default will need changing to the full qualified domain name for the host, in this case web.dragon.lab. The last change is to emailAddress_default which is a slightly obfuscated email address.

[ subject ]
countryName                 = Country Name (2 letter code)
countryName_default         = GB
stateOrProvinceName         = State or Province Name (full name)
stateOrProvinceName_default = Hampshire
localityName                = Locality Name (eg, city)
localityName_default        = Bordon
organizationName            = Organization Name (eg, company)
organizationName_default    = Dragons Can Fly

# Use a friendly name here because it is presented to the user. The server's DNS
# names are placed in Subject Alternate Names. Plus, DNS names here is deprecated
# by both IETF and CA/Browser Forums. If you place a DNS name here, then you
# must include the DNS name in the SAN too (otherwise, Chrome and others that
# strictly follow the CA/Browser Baseline Requirements will fail).
commonName           = Common Name (e.g. server FQDN or YOUR name)
commonName_default   = web.dragon.lab
emailAddress         = Email Address
emailAddress_default = webmaster at dragon dot lab

Alternate Names Section

In this section we add the SANs that will be added to the self-signed SSL certificates. Just add them one domain per line. Do not include the hostname added as the commonName_default in the additional DNS lines.

[ alternate_names ]

DNS.1    = mail.dragon.lab
DNS.2    = ldap.dragon.lab
#DNS.3    = 
#DNS.4    = 

If you do nor have any alternative names comment ot the hole section including the header.

Generate the Certificate

To generate the self-signed SSL certificates use the following command line, change the name of the certificate (crt) and key file (key) as required. I tend to use the fully qualified domain name of the main host, the on in commonName_default.

openssl req -config self-signed_certificates.conf -new -x509 -sha256 -nodes
    -newkey rsa:4096 -keyout web.dragon.lab.key -days 365 -out web.dragon.lab.crt

Once the certificate has been generated you can view its contents with the following command line

openssl x509 -text -noout -in web.dragon.lab.crt

Using the Certificate

To allow us to use the self-signed SSL certificate, copy the crt and key parts /etc/ssl/private. Remember that the private key file, the one with .key. in it MUST be kept secret. Change the owner:group to root and force it to be readable only by root.

sudo -i
cp web.dragon.lab.* /etc/ssl/private/
chown root:root /etc/ssl/private/web.dragon.lab.*
chmod 600 /etc/ssl/private/web.dragon.lab.key
chmod 644 /etc/ssl/private/web.dragon.lab.crt

Leave a Reply

Your email address will not be published. Required fields are marked *