Categories
Sys Admin

Creating a self-signed SSL Certificate

Oh boy, recently a lot has been talked about OpenSSL’s bug known as heartbleed. The issue was caused by the “heartbeat” mechanism not checking bounds. I won’t go too much into the details, but you can read more about it in the previous link. A short explanation is also available on xkcd.

Anyway, while I don’t believe anyone with anything better to do would be trying to break into a server with very little sensitive information, it’s always good to play safe. So I’m regenerating my SSL certificates just in case. Also, I previously used 1024-bit certificates, so I’m using this opportunity to bump my certificates to 2048-bit. First of all, create a folder that only the your server user can read (in my case, the user is “http” and the server nginx):

# mkdir /etc/nginx/ssl
# chown http:http /etc/nginx/ssl
# chmod 0700 /etc/nginx/ssl
# cd /etc/nginx/ssl

Start by generating the key, this will ask you for a passphrase which is necessary to start nginx and to generate the csr:

# openssl genrsa -des3 -out mykey.key 2048

Now generate the CSR (certificate signing request):

# openssl req -new -key mykey.key -out mycert.csr

The passphrase you create will be necessary whenever you want to start the server. This adds security, but might prevent nginx from starting in the case of a power failure or other reboots. If you want to remove the passphrase:

# openssl rsa -in mykey.key -out mykey.key

Sign the certificate and now the certificate will be “good to go”. You can change the number of days the certificate is valid for, I’ve set 365, which seems like a reasonable number:

# openssl x509 -req -days 365 -in mycert.csr -signkey mykey.key -out mycert.crt

Now all you need is to configure your server to use the SSL certificate. In my case, I’m using it to secure an owncloud installation running on nginx:

server {
        listen 443 ssl spdy;
(...)
        ssl_certificate /etc/nginx/ssl/mycert.crt;
        ssl_certificate_key /etc/nginx/ssl/mykey.key;
(...)
}

A self-signed certificate will make the browser complain the first time you visit it, but subsequent visits should work fine. Happy hosting! (;
Sources:
A similar guide for CentOS/RHEL and Apache
Akadia’s guide for self-signed certificates
A similar guide for Ubuntu 12.04 + nginx

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.