After using openssl to generate the necessary files, you’ll need to integrate them into Apache. This process differs between Linux distros and versions of Apache. Additional references exist at the end of this document. My instructions for Setting up SSL: Ubuntu and Apache 2 are kept most current, and will carry you through to completion.
Making a homemade CA or self-signed certificate will cause the client web browser to prompt with a message whether to trust the certificate signing authority (yourself) permanently (store it in the browser), temporarily for that session, or to reject it. The message “web site certified by an unknown authority… accept?” may be a business liability for general public usage, although it’s simple enough for the client to accept the certificate permanently.
Whichever route you take, you’ll save the periodic expense of paying a recognized signing authority. This is purely for name recognition — they’ve paid the major browser producers to have their CA pre-loaded into them. So if you’re on a budget, have a special need or small audience, this may be useful.
Before you start
You need Apache and openssl. Compiling them from source, handling dependencies, etc. is beyond the scope of this document. You can consult their documentation, or go with a mainstream Linux distro that will do the preliminary work for you.
Now you need to decide whether you’ll make a CA (Certificate Authority) and sign a server certificate with it — or just self-sign a server certificate. Both procedures are detailed below.
Complete this section if you do NOT want to make a CA (Certificate Authority). If you want to make a CA, skip 1A entirely and go to 1B instead.
Some steps in this document require priviledged access, and you’ll want to limit access to the cert files to all but the root user. So you should su to root and create a working directory that only root has read/write access to (for example: mkdir certwork, chmod 600 certwork). Go to that directory.
Generate a server key:
Then create a certificate signing request with it. This command will prompt for a series of things (country, state or province, etc.). Make sure that “Common Name (eg, YOUR name)” matches the registered fully qualified domain name of your box (or your IP address if you don’t have one). I also suggest not making a challenge password at this point, since it’ll just mean more typing for you.
The default values for the questions ([AU], Internet Widgits Pty Ltd, etc.) are stored here: /etc/ssl/openssl.cnf. So if you’ve got a large number of certificate signing requests to process you probably want to carefully edit that file where appropriate. Otherwise, just execute the command below and type what needs to be typed:
Now sign the certificate signing request. This example lasts 365 days:
Make a version of the server.key which doesn’t need a password:
mv server.key server.key.secure
mv server.key.insecure server.key