Making a self-signed TLS certificate: Difference between revisions

Line 5:

SSL is now deprecated and disabled on most modern browsers and servers. There are lists of vulnerability in everything but the latest TLS versions. Recommended versions are TLS v1.2 (now widely supported) and TLS v1.3 (Newer and more secure, support is gaining way. Supported on =>[[openSUSE Leap 15.2]]). We refer to SSL as TLS as this protocol replaced SSL and is supported by most browsers and is now what is used by default.

== What you need to know ==

We used to use self-signed certificates on the server as it was not cost effective to buy an TLS certificate each year on the server. [https://letsencrypt.org/ Let's Encrypt] allow us to make fully trusted certificates for our domain using a small script program called [https://github.com/acmesh-official/acme.sh <code>acme.sh</code>] which we now use as it more than fulfils our needs. We use <code>acme.sh</code> as it allows us to create ECC certificates which Let's Encrypt <code>certbot</code> would not allow us to do. A limitation is that certificates only last 3 months, but this is for security.

== Creating a signed certificate with Let's Encrypt and <code>acme.sh</code> ==

TBD

== Creating a self-signed certificate ==

=== What you need to know ===

* You will be making a self-signed certificate. All browsers through up an error. This is OK and can usually be avoided in the future by using an exception.

Line 12:

Line 20:

* Many of the fields when making a certificate authority or server certificate are dated. The ones marked '''(OPTIONAL)''' don't have to be filled in.

== Create an elliptic curve private key ==

=== Create an elliptic curve private key ===

* Open a terminal window.

Line 21:

Line 29:

* '''NOTE:''' This is the private key that must be kept safe. If anyone gets hold of this, they will be able to decrypt your data.

== Creating a Certificate Signing Request (CSR) ==

=== Creating a Certificate Signing Request (CSR) ===

A certificate signing request combines the private key and some information to fill out the certificate with and makes a public key out of this information. Type the following into the terminal:

Line 40:

Line 48:

As a side note, a challenge password can be used while the certificate is in storage and stripped off when used for the server for security.

== Creating the certificate ==

=== Creating the certificate ===

With the private key and the certificate signing request we made earlier, we can now make the certificate. Type the following into the terminal:

Line 50:

Line 58:

* No more than a year (365 years) validity is recommended as browsers are starting to not accept any certificates issued recently that have more than a year validity. This does not affect older certificates already issued.

== Securing Apache the with certificate created ==

=== Securing Apache the with certificate created ===

See the following article:

@@ Line 5: / Line 5: @@
 SSL is now deprecated and disabled on most modern browsers and servers. There are lists of vulnerability in everything but the latest TLS versions. Recommended versions are TLS v1.2 (now widely supported) and TLS v1.3 (Newer and more secure, support is gaining way. Supported on =>[[openSUSE Leap 15.2]]). We refer to SSL as TLS as this protocol replaced SSL and is supported by most browsers and is now what is used by default.
-== What you need to know ==
+We used to use self-signed certificates on the server as it was not cost effective to buy an TLS certificate each year on the server. [https://letsencrypt.org/ Let's Encrypt] allow us to make fully trusted certificates for our domain using a small script program called [https://github.com/acmesh-official/acme.sh <code>acme.sh</code>] which we now use as it more than fulfils our needs. We use <code>acme.sh</code> as it allows us to create ECC certificates which Let's Encrypt <code>certbot</code> would not allow us to do. A limitation is that certificates only last 3 months, but this is for security.
+== Creating a signed certificate with Let's Encrypt and <code>acme.sh</code> ==
+TBD
+== Creating a self-signed certificate ==
+=== What you need to know ===
 * You will be making a self-signed certificate. All browsers through up an error. This is OK and can usually be avoided in the future by using an exception.
@@ Line 12: / Line 20: @@
 * Many of the fields when making a certificate authority or server certificate are dated. The ones marked '''(OPTIONAL)''' don't have to be filled in.
-== Create an elliptic curve private key ==
+=== Create an elliptic curve private key ===
 * Open a terminal window.
@@ Line 21: / Line 29: @@
 * '''NOTE:''' This is the private key that must be kept safe. If anyone gets hold of this, they will be able to decrypt your data.
-== Creating a Certificate Signing Request (CSR) ==
+=== Creating a Certificate Signing Request (CSR) ===
 A certificate signing request combines the private key and some information to fill out the certificate with and makes a public key out of this information. Type the following into the terminal:
@@ Line 40: / Line 48: @@
 As a side note, a challenge password can be used while the certificate is in storage and stripped off when used for the server for security.
-== Creating the certificate ==
+=== Creating the certificate ===
 With the private key and the certificate signing request we made earlier, we can now make the certificate. Type the following into the terminal:
@@ Line 50: / Line 58: @@
 * No more than a year (365 years) validity is recommended as browsers are starting to not accept any certificates issued recently that have more than a year validity. This does not affect older certificates already issued.
-== Securing Apache the with certificate created ==
+=== Securing Apache the with certificate created ===
 See the following article: