Code, Docs & Tools

Apache: how to create a self-signed SSL certificate

Introduction

If you need to protect a website with an SSL certificate but you don't want to buy one, you can create your own self-signed certificate using openssl.

Self-signed certificates give you the same protection than the regular ones. The problem is that browsers won't recognize who has generated it, and so they will show an alert saying the certificate is not trusted.

For test environments or internal usage, this would be perfectly safe.

Note:
• See how to create a multi-domain SSL certificate

How to create the self-signed SSL certificate

To create the self-signed SSL certificate you need the openssl libraries and application on your PC.

The certificate can be created with the following command:

$ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout mysitename.key -out mysitename.crt

You'll have to enter the certificate details.

This is an example of the full process (in bold the data you have to enter):

$ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout example.com.key -out example.com.crt
Generating a 2048 bit RSA private key
....................................................................+++
.................................................................................................................+++
writing new private key to 'example.com.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:GB
State or Province Name (full name) [Some-State]:England
Locality Name (eg, city) []:London
Organization Name (eg, company) [Internet Widgits Pty Ltd]:WizLab
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:www.example.com
Email Address []:john@example.com

In the above example, a certificate for www.example.com is created. The certificate is composed by two files: example.com.crt is the certificate, and example.com.key is the key.

Apache configuration

The last step is the virtual host configuration on Apache:

<VirtualHost 1.2.3.4:443>
  ServerName www.example.com
  DocumentRoot /www
  ErrorLog logs/www.example.com-error.log
  CustomLog logs/www.example.com-access.log combined
  SSLEngine on
  SSLCertificateFile certs/example.com.crt
  SSLCertificateKeyFile certs/example.com.key
</VirtualHost>

You can finally restart Apache to make the changes effective.