SSL Self-signed Certificates

Server certificates are useful for identifying a particular server to avoid man-in-the-middle attacks. Self-signed certificates, while not very practical for web servers geared towards general public use, are great for internal network services or low-traffic web servers that are not meant for general public use.

Creating a self-signed certificate on an Ubuntu server is a relatively simple process which involves creating three files, a private key, a public certificate, and a certificate signing request. The first step is to create a private key which will reside on the server. It would be easiest to create all three files within the same directory. The following instructions assume root privileges.

# mkdir /etc/ssl/newCA # cd /etc/ssl/newCA # openssl genrsa -des3 -out server.key 4096

The command above creates an RSA key using the des3 algorithm to create a file called “server.key” using a key length of 4096. A key length of 4096 may be a bit much, depending on the purpose of your server (click here for a discussion on how key length impacts hardware performance).

We generally don’t want a password protected RSA key for a web service, so it can be removed with the following command.

# openssl rsa -in server.key -out server.key

A certificate-signing request (csr) can now be generated from the passwordless key. The CSR will require some company information. Some information can be left blank.

# openssl req -new -days 3650 -key server.key -out server.csr

You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]: US State or Province Name (full name) [Some-State]: CA Locality Name (eg, city) []: Los Angeles Organization Name (eg, company) [Internet Widgits Pty Ltd]: Acme Organizational Unit Name (eg, section) []: IT Dept Common Name (eg, YOUR name) []: host.domain.com Email Address []: someone@domain.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:

Now that the CSR is ready, it can be used to create a self-signed certificate. Each certificate that is generated by the server must have a two-digit serial number.

# openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 3650 -set_serial XX

The last thing that needs to be done is to change the permissions so that only root can read the files.

# chmod 400 server.*

Now that the key and certificate are ready, you can modify the server to use the key and then distribute the certificate to any client. Transfer the certificate to the client. To install the certificate to an Ubuntu client, first create a new directory on the client in /usr/share/ca-certificates for the certificate.

# mkdir /usr/share/ca-certificates/newCA

Next, move the certificate to the directory.

# cp server.crt /usr/share/ca-certificates/newCA

Add the ‘.crt’ file’s path relative to /usr/share/ca-certificates to /etc/ca-certificates.conf.

# echo newCA/server.crt >> /etc/ca-certificates.conf

Update the installed CA.

# dpkg-reconfigure ca-certificates && update-ca-certificates

Ubuntu will automatically create server.pem inside the /etc/ssl/certs directory, which you can use to correctly identify the server.