securitywing

Six Easy Steps to Create a Self-Signed Certificate on Ubuntu Server

by

A self-signed certificate is an SSL certificate that is signed by the person or organization creating it, rather than a trusted Certificate Authority (CA). You can use a self-signed certificate for testing purposes, or to provide encryption within internal networks. If you are looking into renewing a self-signed SSL, please take a look at How to Renew Self-Signed SSL Certificate with OpenSSL Tool in Linux

Here’s the step-by-step process for creating a self-signed certificate on an Ubuntu server:

Step 1: Install OpenSSL

OpenSSL is a tool that provides a library for secure communication over networks. If it’s not already installed, you can install it with the following command:

 
sudo apt update
sudo apt install openssl

Step 2: Create a Private Key

The first step in creating an SSL certificate is to generate a private key. This key will be used to encrypt data and should be kept secure.

Run the following command to generate a 2048-bit RSA private key:

 
openssl genpkey -algorithm RSA -out myserver.key -aes256

This command will create a password-protected key named myserver.key. If you don’t want to use a passphrase, you can use:

 
openssl genrsa -out myserver.key 2048

Step 3: Create a Certificate Signing Request (CSR)

The next step is to create a Certificate Signing Request (CSR). This request contains information about your organization and will be included in the certificate. The CSR is normally sent to a CA, but for a self-signed certificate, you’ll sign it yourself.

Use the following command to create the CSR:

 
openssl req -new -key myserver.key -out myserver.csr

You will be prompted to provide information such as:

  • Country Name: The two-letter ISO code for your country (e.g., US).
  • State or Province: The full name of your state or province.
  • Locality Name: The full name of your city.
  • Organization Name: The name of your organization.
  • Organizational Unit Name: The division or department within the organization.
  • Common Name: The fully qualified domain name (FQDN) of your server (e.g., example.com).
  • Email Address: Your email address.

You can leave some fields blank if they’re not applicable.

Step 4: Create a Self-Signed Certificate

Now you can create the self-signed certificate by running the following command:

 
openssl x509 -req -days 365 -in myserver.csr -signkey myserver.key -out myserver.crt

This command creates a certificate (myserver.crt) that will be valid for 365 days. You can adjust the -days parameter if you want a different expiration period.

Step 5: Install the Certificate

To install the certificate on your server, you will need both the .crt file (the certificate) and the .key file (the private key). The process of installation depends on which web server you are using. Below are instructions for Apache and Nginx.

For Apache:

  1. Copy the certificate and key files to the /etc/ssl/certs/ and /etc/ssl/private/ directories, respectively:

     
    sudo cp myserver.crt /etc/ssl/certs/
    sudo cp myserver.key /etc/ssl/private/

  2. Modify your Apache configuration file (usually located at /etc/apache2/sites-available/default-ssl.conf or similar) to use the new certificate and key:

     
    SSLEngine on
    SSLCertificateFile /etc/ssl/certs/myserver.crt
    SSLCertificateKeyFile /etc/ssl/private/myserver.key

  3. Enable the SSL module and the site configuration, then restart Apache:

     
    sudo a2enmod ssl
    sudo a2ensite default-ssl.conf
    sudo systemctl restart apache2

For Nginx:

  1. Copy the certificate and key files to a secure location, for example:

     
    sudo cp myserver.crt /etc/ssl/certs/
    sudo cp myserver.key /etc/ssl/private/

  2. Edit your Nginx configuration file (often located at /etc/nginx/sites-available/default) and add the following lines in the server block:

     
    server {
    listen 443 ssl;
    ssl_certificate /etc/ssl/certs/myserver.crt;
    ssl_certificate_key /etc/ssl/private/myserver.key;

    # Other configurations (like server_name, root, etc.)
    }

  3. Test the Nginx configuration and restart the service:

     
    sudo nginx -t
    sudo systemctl restart nginx

Step 6: Verify the Certificate

Once the certificate is installed, you can verify that it is working by using your browser to access the site via HTTPS. You will likely get a warning that the certificate is not trusted because it’s self-signed, but this is expected.

If you want to view the certificate details, you can use the following command:

 
openssl x509 -in /etc/ssl/certs/myserver.crt -text -noout

This will display information such as the issuer, expiration date, and subject details.

Optional: Combine Certificate and Key in a .pem File (If Needed)

Some applications require the private key and the certificate to be bundled together in a .pem file. You can create this bundle by running:

 
cat myserver.crt myserver.key > myserver.pem

That’s it! You now have a self-signed certificate installed on your Ubuntu server. Keep in mind that self-signed certificates are not trusted by browsers or external clients by default, so they are generally used for development or internal purposes.

Related posts:

  1. Cisco Router Security Check for Auditor
  2. How to Schedule AWS EC2 Start and stop time using Lambda and Cloudwatch
  3. 3 Steps to Setup EC2 EBS Volume Disk Space Monitoring using Cloudwatch
  4. Why IT Organizations Should Consider Having At Least Two DevOps Engineers or Equivalent Roles?

Filed Under: Off Track