CODEWITHSUNDEEP
apachessl
ScArcher2
ScArcher2

Reputation: 87257

How do I create a self signed SSL certificate to use while testing a web app

How do I create a self signed SSL certificate for an Apache Server to use while testing a web app?

Upvotes: 23

Views: 13846

Answers (4)

Francisco Luz
Francisco Luz

Reputation: 2943

WARNING: This is totally useless for purposes other than local testing.

Replace MYDOMAIN with your local domain. Works with localhost too.

In some folder create MYDOMAIN.conf file. Add the following content into it:

[ req ]
prompt              = no  
default_bits        = 2048  
default_keyfile     = MYDOMAIN.pem  
distinguished_name  = subject  
req_extensions      = req_ext  
x509_extensions     = x509_ext  
string_mask         = utf8only

# The Subject DN can be formed using X501 or RFC 4514 (see RFC 4519 for a description).
#   Its sort of a mashup. For example, RFC 4514 does not provide emailAddress.
[ subject ]
countryName     = KE 
stateOrProvinceName = Nairobi 
localityName            = Nairobi
organizationName         = Localhost


# Use a friendly name here because its presented to the user. The server's DNS
#   names are placed in Subject Alternate Names. Plus, DNS names here is deprecated
#   by both IETF and CA/Browser Forums. If you place a DNS name here, then you 
#   must include the DNS name in the SAN too (otherwise, Chrome and others that
#   strictly follow the CA/Browser Baseline Requirements will fail).
commonName          = Localhost dev cert  
emailAddress            [email protected]

# Section x509_ext is used when generating a self-signed certificate. I.e., openssl req -x509 ...
[ x509_ext ]

subjectKeyIdentifier        = hash  
authorityKeyIdentifier  = keyid,issuer

# You only need digitalSignature below. *If* you don't allow
#   RSA Key transport (i.e., you use ephemeral cipher suites), then
#   omit keyEncipherment because that's key transport.
basicConstraints        = CA:FALSE  
keyUsage            = digitalSignature, keyEncipherment  
subjectAltName      = @alternate_names  
nsComment           = "OpenSSL Generated Certificate"

# RFC 5280, Section 4.2.1.12 makes EKU optional
#   CA/Browser Baseline Requirements, Appendix (B)(3)(G) makes me confused
#   In either case, you probably only need serverAuth.
# extendedKeyUsage  = serverAuth, clientAuth

# Section req_ext is used when generating a certificate signing request. I.e., openssl req ...
[ req_ext ]

subjectKeyIdentifier        = hash

basicConstraints        = CA:FALSE  
keyUsage            = digitalSignature, keyEncipherment  
subjectAltName          = @alternate_names  
nsComment           = "OpenSSL Generated Certificate"

# RFC 5280, Section 4.2.1.12 makes EKU optional
#   CA/Browser Baseline Requirements, Appendix (B)(3)(G) makes me confused
#   In either case, you probably only need serverAuth.
# extendedKeyUsage  = serverAuth, clientAuth

[ alternate_names ]

DNS.1       = MYDOMAIN

# Add these if you need them. But usually you don't want them or
#   need them in production. You may need them for development.
# DNS.5       = localhost
# DNS.6       = localhost.localdomain
DNS.7       = 127.0.0.1

# IPv6 localhost
# DNS.8     = ::1

Generate the certificate files:

$ sudo openssl req -config MYDOMAIN.conf -new -x509 -sha256 -newkey rsa:2048 -nodes -keyout MYDOMAIN.key -days 1024 -out MYDOMAIN.crt
$ sudo openssl pkcs12 -export -out MYDOMAIN.pfx -inkey MYDOMAIN.key -in MYDOMAIN.crt
$ sudo chown -R $USER *

Make your local machine trust your certificate:

# Install the cert utils
$ sudo apt-get install libnss3-tools

# Trust the certificate for SSL
$ pk12util -d sql:$HOME/.pki/nssdb -i MYDOMAIN.pfx

# Trust self-signed server certificate
$ certutil -d sql:$HOME/.pki/nssdb -A -t "P,," -n 'dev cert' -i MYDOMAIN.crt

Edit /etc/apache2/sites-available/default-ssl.conf and make sure these two directives are pointing to the files .crt and .key you have just created ( un-comment it if needed ):

SSLCertificateFile     /path/to/MYDOMAIN.crt
SSLCertificateKeyFile  /path/to/MYDOMAIN.key

Apply configuration and re-start apache:

# If you are not using the default configuration ( /etc/apache2/sites-available/default-ssl.conf ),
# then replace "default-ssl" for whatever conf file name you've chosen
# ( DO NOT include the .conf bit ).
$ sudo a2ensite default-ssl

$ sudo service apache2 restart

Visit https://MYDOMAIN on your browser. Firefox will warn you that the certificate is self-signed and, therefore, say it is invalid. You will have to add an exception.

Source:

  • Most of it I got from 3dw1n_m0535;
  • If you run into trouble, read the README file at /usr/share/doc/apache2/README.Debian.gz

Upvotes: 0

tgmdbm
tgmdbm

Reputation: 1563

Use OpenSSL (http://www.openssl.org/)

Here's a tutorial: http://novosial.org/openssl/self-signed/

Here is the good tutorial to start with: SSH localhost.

Upvotes: -3

Christian Hagelid
Christian Hagelid

Reputation: 8355

How do I create a self-signed SSL Certificate for testing purposes?

from http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#selfcert:

  1. Make sure OpenSSL is installed and in your PATH.

  2. Run the following command, to create server.key and server.crt files:

    openssl req -new -x509 -nodes -out server.crt -keyout server.key

    These can be used as follows in your httpd.conf file:

    SSLCertificateFile    /path/to/this/server.crt
SSLCertificateKeyFile /path/to/this/server.key

  3. It is important that you are aware that this server.key does not have any passphrase. To add a passphrase to the key, you should run the following command, and enter & verify the passphrase as requested.

    openssl rsa -des3 -in server.key -out server.key.new
mv server.key.new server.key

    Please backup the server.key file, and the passphrase you entered, in a secure location.

Upvotes: 30

alexmcchessers
alexmcchessers

Reputation: 944

Various tools exist that can generate SSLs. Try OpenSSL for example. Alternatively, there's one in the IIS 6 resource kit, if you're on Windows.

Upvotes: 0

Related Questions