Main Menu (suckerfish)

Create Self-signed SSL Certifcate using OpenSSL for testing purposes in Debian/Ubuntu

Submitted by webmaster on Wed, 08/27/2008 - 08:22.


What is SSL?

Secure Sockets Layer is an application-level protocol which was developed by the Netscape Corporation for the purpose of transmitting sensitive information, such as Credit Card details, via the Internet. SSL works by using a private key to encrypt data transferred over the SSL-enabled connection, thus thwarting eavesdropping of the information. The most popular use of SSL is in conjunction with web browsing (using the HTTP protocol), but many network applications can benefit from using SSL. By convention, URLs that require an SSL connection start with https: instead of http:.

What is OpenSSL?

OpenSSL is a robust, commercial-grade implementation of SSL tools, and related general purpose library based upon SSLeay, developed by Eric A. Young and Tim J. Hudson. OpenSSL is available as an Open Source equivalent to commercial implementations of SSL via an Apache-style license.

How SSL Work?

The following is an extremely simplified view of how SSL is implemented and what part the certificate plays in the entire process.

Normal web traffic is sent unencrypted over the Internet. That is, anyone with access to the right tools can snoop all of that traffic. Obviously, this can lead to problems, especially where security and privacy is necessary, such as in credit card data and bank transactions. The Secure Socket Layer is used to encrypt the data stream between the web server and the web client (the browser).

SSL makes use of what is known as asymmetric cryptography, commonly referred to as public key cryptography (PKI). With public key cryptography, two keys are created, one public, one private. Anything encrypted with either key can only be decrypted with its corresponding key. Thus if a message or data stream were encrypted with the server's private key, it can be decrypted only using its corresponding public key, ensuring that the data only could have come from the server.

If SSL utilizes public key cryptography to encrypt the data stream traveling over the Internet, why is a certificate necessary? The technical answer to that question is that a certificate is not really necessary--the data is secure and cannot easily be decrypted by a third party. However, certificates do serve a crucial role in the communication process. The certificate, signed by a trusted Certificate Authority (CA), ensures that the certificate holder is really who he claims to be. Without a trusted signed certificate, your data may be encrypted, however, the party you are communicating with may not be whom you think. Without certificates, impersonation attacks would be much more common.

Original article can be found here: http://slacksite.com/apache/certificate.php

How to generate self-signed certificate?

This tutorial assumes you already installed Debian/Ubuntu Linux and Apache2 web server in your server.

Self-signed Certificate can be used for testing purposes only and should not be used in a production site. Self-signed certificates are not automatically accepted by a user's browser. Therefore, users are prompted by the browser to accept the certificate and create the secure connection.

Install the ssl-cert package

apt-get install ssl-cert

Create a directory called ssl inside your /etc/apache2/ directory.

mkdir /etc/apache2/ssl

Use this command to generate self-signed certificate

make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/ssl/apache.pem

You can name the certificate whatever you like - I have chosen the name "apache.pem".
A simple ncurses dialogue will open asking various questions:

ssl certificate

Country:

ssl certificate

State or Province:

ssl certificate

Locality:

ssl certificate

Organisation Name:

ssl certificate

Organisational Unit Name:

ssl certificate

Host Name:

ssl certificate

and Email Address:
Now, lets enable the mod_ssl module

a2enmod ssl

(For Debian only) Type this command:

echo "Listen 443" >> /etc/apache2/ports.conf

to tell Apache to accept SSL connections.
Ubuntu Hardy automatically generates the "Listen 443" in /etc/apache2/ports.conf once you enable the mod_ssl.

  1. Listen 80
  2.  
  3. <IfModule mod_ssl.c>
  4.     Listen 443
  5. </IfModule>

Sample of /etc/apache2/ports.conf in Ubuntu Hardy with mod_ssl enabled.

Configuring your SSL Host

We are almost finished, the final step we need to do is to ensure that your virtual host, will accept SSL options. Just copy your default virtual host configuration and specify a different name. I used the name "secure" here.

cp /etc/apache2/sites-available/default /etc/apache2/sites-available/secure

Edit the file

vi /etc/apache2/sites-available/secure

basically, you only need to add these couple lines in your configuration.

  1. SSLEngine On
  2. SSLCertificateFile /etc/apache2/ssl/apache.pem

The secure host configuration will look like this:
  1. NameVirtualHost *:443
  2. <VirtualHost *:443>
  3.         ServerAdmin webmaster@localhost
  4.         DocumentRoot /var/www/
  5.         SSLEngine On
  6.         SSLCertificateFile /etc/apache2/ssl/apache.pem
  7.         <Directory />
  8.                 Options FollowSymLinks
  9.                 AllowOverride None
  10.         </Directory>
  11.         <Directory /var/www/>
  12.                 Options Indexes FollowSymLinks MultiViews
  13.                 AllowOverride None
  14.                 Order allow,deny
  15.                 allow from all
  16.         </Directory>
  17.         ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
  18.         <Directory "/usr/lib/cgi-bin">
  19.                 AllowOverride None
  20.                 Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
  21.                 Order allow,deny
  22.                 Allow from all
  23.         </Directory>

Now edit your /etc/apache2/sites-enabled/000-default file and change these lines:
  1.    NameVirtualHost *
  2.     <VirtualHost *>

to
  1.    NameVirtualHost *:80
  2.     <VirtualHost *:80>

Finally, enable your secure host and restart your apache server...

a2ensite secure
/etc/init.d/apache2 restart

Done...
Sources:
https://help.ubuntu.com/community/OpenSSL
http://slacksite.com/apache/certificate.php
http://linuxadministration.us/2008/01/08/debianubuntu-apache2-php5-mysql...


Bookmark/Search this post with:
Your rating: None Average: 4.5 (2 votes)
Goofball's picture

:)

Submitted by Goofball (not verified) on Thu, 11/06/2008 - 23:39.

Of course, in Michigan, they just decriminalized possession of personal use ssl certs. As long as you have less than 2.5 ounces of them and your id card, you will be fine.
;)

Dmitri's picture

Excellent demystification

Submitted by Dmitri (not verified) on Thu, 10/23/2008 - 22:34.

This is a great little article, it quickly and effectively demystifies the process of creating a self-signed SSL site for personal use.

Very nice!

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.
  • You may quote other posts using [quote] tags.

More information about formatting options