Make Your Own Free SSL on Ubuntu

Thursday 3 December 2009

SSL is self signed cetificates that used to standard browser sucirty. If you like to generate your own ssl following this guide that i hope will help you.

Before following this guide you need to know self signed certificates will cause error like messages to be shown to your website visitors because the browser cannot identify the certificate issuer (you). Also, while I did this on my Ubuntu server
most of the commands will work as long as you have OpenSSL installed.

For this example I will generate a wild card certificate for my site: 24 Hour Apps; therefore all certificate related file names will be 24ha.

The first step to create a home for your certificate files; I did this in my root home directory. Then generate your RSA private key. The commands achieve this are:

mkdir ssl
cd ssl
openssl genrsa -des3 -out 24ha.key 1024
You will be asked a few questions. Fill them out as accurately as you can. You will also need to set a password for your private key. Please remember this as you will need to later on.

The next step is to generate your own certificate signing request. You can do this with:

openssl req -new -key 24ha.key -out 24ha.csr
You will be prompted to enter the password you typed before for your private key. Enter it and create your CSR.

The following step is optional and removes the password from your private key so that when you launch Apache with mod_ssl you do not get requested to type in a password. For servers with monitoring software that automatically restarts processes this is quite handy. The code for removing the password is:

cp 24ha.key 24ha.key.original
openssl rsa -in 24ha.key.original -out 24ha.key
Please note that your original key still exists and is now called 24ha.key.original.

We can now generate our SSL certificate with the command:

openssl x509 -req -days 365 -in 24ha.csr -signkey 24ha.key -out 24ha.crt
You will be promoted to answer more questions. The most important answer you give will be to the question "Common Name (e.g., YOUR name)", you need to enter your website address ie. www.example.com or for wild card entries *.example.com

Now that we have our certificate we need to make it available to Apache. This part of the guide becomes more Ubuntu specific as other Linux distributions will have their Apache files located elsewhere. However, to give Apache access the first step is to copy the SSL files over and enable mode SSL. To do so type:

cd /etc/apache2/
mkdir ssl
cd ssl
cp ~/ssl/24ha.key .
cp ~/ssl/24ha.crt .
a2enmod ssl

Now we need to enter a virtual host entry for our SSL enabled domain. The following is an entry I have in the file /etc/apache2/sites-available/passbook.24hourapps.com


SSLEngine On
SSLCertificateFile /etc/apache2/ssl/24ha.crt
SSLCertificateKeyFile /etc/apache2/ssl/24ha.key
ServerName passbook.24hourapps.com
DocumentRoot /home/passbook/www/


Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all


Once you have created your virtual host entry restart Apache (using /etc/init.d/apache2 restart) and test your new secure site. For my example this is https://passbook.24hourapps.com

If all went well you should see the Firefox's, or whatever browser you are using, message saying the secure connection has failed due to an unknown issuer. You will need to add an exception for the certificate before viewing the secure page. Adding the except is a 3 or 4 click process that is not very intuitive. However once it is done you can have cheap secure connections between your server and your web browser.