Generate Self Signed SSL Certificates - Linux 101

The following commands can be run on any Linux host with openssl installed.

To create a new Private Key without a passphrase.

# openssl genrsa -out secure.linux-101.org.key 4096

To create a new password protected Private Key (Remember the passphrase)

# openssl genrsa -des3 -out secure.linux-101.org.key 4096

To remove the passphrase from the password protected Private Key

# openssl rsa -in secure.linux-101.org.key -out secure.linux-101.org.key.nopass

To create a CSR using the private key created above

# openssl req -new -key secure.linux-101.org.key -out secure.linux-101.org.csr

Now sign the CSR with the above created Key

# openssl x509 -req -days 365 -in secure.linux-101.org.csr -signkey secure.linux-101.org.key -out secure.linux-101.org.crt

The CSR would normally go to a recognized Certificate Authority such a Verisign to be signed. The signed certificate and the Key used to create it (normally the copy that isn't password protected, while less secure it means that you do not need to enter a password every time you restart apache) then both need to be installed on the web server. The key should never be sent in clear text (email) or at least not together with the certificate it was used to generate for obvious reasons.

We prefer no password in the key because otherwise when apache restarts, it will prompt us for a password. This is a problem if you have a script to restart apache if it dies, or the box is rebooted for a kernel upgrade or whatever. It's up to you.

I personally believe that security is a right ever internet user has and not a privilege. Startcom agree with me and as a result Startcom offer free signed SSL certificates for both mail signing and encryption as well as signed certificates for your web server. I personally use their free services and think they're great. You can read all about it by going to http://cert.startcom.org/