Making a self-signed TLS certificate

Revision as of 00:59, 11 April 2016 by Sam (talk | contribs) (→‎Securing Apache with created certificate: Small format changes)

Sending data over the internet unencrypted means anybody with the right tools can see this data. Making a certificate means that you can then encrypt the data. This means that the data is no longer readable to anybody that doesn't have your certificate. This guide will show you how to make a certificate authority, sign and make an SSL certificate ready to be used by your web server.

Due to the way the encryption landscape has changed on the internet, we will be creating a ECDSA certificate. EC stands for Elliptic Curve and uses prime number curves which allow smaller key sizes for the same amount or better protection than the larger traditional key sizes.

What you need to know

  • You will be making a self-signed certificate. This will make all browsers through up an error. This is OK and can usually be avoided in the future by using an exception.
  • To make it easier, it is suggested to make all the certificates in a dedicated folder somewhere that you have easy access to, for example in your home folder. This will avoid permission problems.
  • If your making a certificate without a password, the resulting certificate must be kept in a safe place. If this certificate is EVER disclosed, any data can be decrypted from the server and you must revoke the certificate. The newest versions of Apache only allow www and root users to read the key folder by default.
  • Many of the fields when making a certificate authority or server certificate are dated. The ones marked (OPTIONAL) don't have to be filled in.

Create an elliptic curve private key

  • Open a terminal window.
  • Type the following into the terminal:
 # openssl ecparam -genkey -name prime256v1 -out key.pem
  • NOTE: This is the private key that must be kept safe. If anyone gets hold of this, they will be able to decrypt your data.

Creating a Certificate Signing Request (CSR)

A certificate signing request combines the private key and some information to fill out the certificate with and makes a public key out of this information.

  • Type the following into the terminal:
 openssl req -new -key key.pem -out csr.pem

You will be presented with some options to fill out:

  • Type in a Country code when asked (GB for England).
  • Type in a State or Provence (or County in England) when asked. (OPTIONAL)
  • Type in a Locality (a town or city) when asked. (OPTIONAL)
  • Type in an Organisation name (or company name) when asked. If left blank, it will be filled with 'Internet Widgets Pty'. (OPTIONAL)
  • Type in an Organisation unit (or department within company) when asked. (OPTIONAL)
  • Type in a Common name when asked. This is is usually a FQDN, but can be what you usually how you access the page by (IP address, hostname, or FQDN)
  • Type in an e-mail address when asked. This is the e-mail address people will contact you on if there is a problem with the certificates. Make sure you type an address you would access often enough.
  • Type a challenge password (this will stop the private key being accessible, but is not required. If going for simplicity, don't type a password) (OPTIONAL)
  • Type an optional company name (this is an extra attribute and isn't required) (OPTIONAL)

Creating the certificate

With the private key and the certificate signing request we made earlier, we can now make the certificate.

  • Type the following into the terminal:
openssl req -x509 -days 365 -rand /dev/urandom -key key.pem -in csr.pem -out cert.pem

Securing Apache the with certificate created

See the following article:

Securing Apache with an SSL/TLS certificate

External Links

https://msol.io/blog/tech/create-a-self-signed-ecc-certificate/

Thanks for the information, your site helped us change over to ECDSA!