Create self-signed SSL certificate for Virtual Host

By | 2011/09/24

In Debian or Ubuntu, it is easy to generate a self-signed certificate for your virtual host. Here is how it works!


1. First, install the package ssl-cert:

$ sudo apt-get install ssl-cert

Since godaddy and the like are making 2048 bit certs common these days, optionally edit the file /usr/share/ssl-cert/ssleay.cnf and change 1024 bit 2048 for a 2048 bit cert.

$ sudo nano /usr/share/ssl-cert/ssleay.cnf

default_bits            = 2048

2. Next, this command will generate your private key and self-signed cert in one text file:

$ sudo make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/ssl/private/mydomain.com.crt

When prompted, input the host name of your virtual host which will be the commonName of your certificate.


3. Split up the generated .crt file into two files. First half of the file is the private key, second half is your self-signed certificate.

– Save the private key as /etc/ssl/private/mydomain.com.key

The entire .key file should include the BEGIN and END lines:

-----BEGIN RSA PRIVATE KEY-----
your_private_key_gibberish
-----END RSA PRIVATE KEY-----

– Save the self-signed certificate as /etc/ssl/certs/mydomain.com.pem

The entire .pem file should include the BEGIN and END certificate lines:

-----BEGIN CERTIFICATE-----
your_certificate_gibberish
-----END CERTIFICATE-----


4. Fix some permissions:

$ sudo chmod 600 /etc/ssl/private/mydomain.com.key


5. Finally, add in your certificate and key file to your virtual hosts SSL configuration:

<VirtualHost *:443>
...
SSLEngine on
SSLCertificateFile    /etc/ssl/certs/mydomain.com.pem
SSLCertificateKeyFile /etc/ssl/private/mydomain.com.key
...


6. Restart apache:

sudo /etc/init.d/apache2 restart

Done!