I know there are a ton of postings on how to sign your own SSL certificates. I just think there’s too much out there (including in my own blog) and none that are very simple. Recently, I figured that I would do it myself (again).
Are you sick of seeing something like this 
in your browser bar?
Rather see something like this? 
I’ll show you how to do it for free.
First off, We create a Certificate Authority. This is the guy that will vouch for your server to say that he is who he is.
You create the new CA by running:
On Mac OS X:
/System/Library/OpenSSL/misc/CA.sh -newca
or on an Ubuntu system:
/usr/lib/ssl/misc/CA.pl -newca
Here’s the output:
alyu1-mbpr:~ alyu$ /System/Library/OpenSSL/misc/CA.sh -newca CA certificate filename (or enter to create) Making CA certificate ... Generating a 2048 bit RSA private key ...................+++ ...............................................................................................................+++ writing new private key to './demoCA/private/./cakey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:California Locality Name (eg, city) []:San Francisco Organization Name (eg, company) [Internet Widgits Pty Ltd]:ShocKNetworK Organizational Unit Name (eg, section) []:Security Common Name (e.g. server FQDN or YOUR name) []:alton-mbp.shocknetwork.com Email Address []:[email protected] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /opt/local/etc/openssl/openssl.cnf Enter pass phrase for ./demoCA/private/./cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 9449349124978877974 (0x8322d4f6e103a616) Validity Not Before: May 17 23:00:51 2016 GMT Not After : May 17 23:00:51 2019 GMT Subject: countryName = US stateOrProvinceName = California organizationName = ShocKNetworK organizationalUnitName = Security commonName = alton-mbp.shocknetwork.com emailAddress = [email protected] X509v3 extensions: X509v3 Subject Key Identifier: C5:5E:16:99:96:81:1F:1D:BE:D2:FE:81:B0:57:34:A1:19:24:D8:AF X509v3 Authority Key Identifier: keyid:C5:5E:16:99:96:81:1F:1D:BE:D2:FE:81:B0:57:34:A1:19:24:D8:AF X509v3 Basic Constraints: CA:TRUE Certificate is to be certified until May 17 23:00:51 2019 GMT (1095 days) Write out database with 1 new entries Data Base Updated
Next, you go and get the certificate request. With typical Linux applications, you would request a certificate with the following command:
On Mac OS X:
/System/Library/OpenSSL/misc/CA.sh -newreq
or on an Ubuntu system:
/usr/lib/ssl/misc/CA.pl -newreq
Output:
alyu1-mbpr:~ alyu$ /System/Library/OpenSSL/misc/CA.sh -newreq Generating a 2048 bit RSA private key .........................+++ ........+++ writing new private key to 'newkey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:California Locality Name (eg, city) []:San Francisco Organization Name (eg, company) [Internet Widgits Pty Ltd]:Riverbed Organizational Unit Name (eg, section) []:Tech Marketing Lab Common Name (e.g. server FQDN or YOUR name) []:alton-web-server.pod3.techmktg.lab Email Address []:[email protected] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Request is in newreq.pem, private key is in newkey.pem
Now, let’s sign the certificate you just requested.
On Mac OS X:
/System/Library/OpenSSL/misc/CA.sh -sign
or on an Ubuntu system:
/usr/lib/ssl/misc/CA.pl -sign
Output:
alyu1-mbpr:~ alyu$ /System/Library/OpenSSL/misc/CA.sh -sign Using configuration from /opt/local/etc/openssl/openssl.cnf Enter pass phrase for ./demoCA/private/cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 10013577564278676468 (0x8af75fbd91a6dbf4) Validity Not Before: May 23 00:34:03 2016 GMT Not After : May 23 00:34:03 2017 GMT Subject: countryName = US stateOrProvinceName = California localityName = San Francisco organizationName = Riverbed organizationalUnitName = Tech Marketing Lab commonName = alton-web-server.pod3.techmktg.lab emailAddress = [email protected] X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: F1:A4:7E:2E:DA:2B:29:96:6C:B6:F1:2C:C5:CD:43:34:6D:2B:75:5E X509v3 Authority Key Identifier: keyid:43:52:6A:22:33:C4:67:E9:3B:17:DF:DD:20:5D:77:59:E1:C4:EC:67 Certificate is to be certified until May 23 00:34:03 2017 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated Certificate: Data: Version: 3 (0x2) Serial Number: 10013577564278676468 (0x8af75fbd91a6dbf4) Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=California, O=Riverbed, OU=Security, CN=securityserver.riverbed.com/[email protected] Validity Not Before: May 23 00:34:03 2016 GMT Not After : May 23 00:34:03 2017 GMT Subject: C=US, ST=California, L=San Francisco, O=Riverbed, OU=Tech Marketing Lab, CN=alton-web-server.pod3.techmktg.lab/[email protected] Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:9a:17:37:3b:68:4a:5c:60:73:c5:5f:bb:40:39: b0:ed:eb:df:76:f1:1c:37:c0:3a:71:82:5d:d6:1c: 04:a1:24:1c:d6:26:c0:cc:f3:1f:51:f9:b8:d4:65: f2:fb:ec:6e:87:42:12:e5:ec:0c:38:53:91:62:8a: 2e:1e:be:33:e9:f4:ce:8d:92:f8:81:cd:bd:52:67: 85:c6:ec:85:d2:29:33:37:a2:fb:d9:23:0c:47:62: d8:8b:03:12:12:ff:9f:61:83:a7:9b:18:37:8c:37: 87:f1:dc:66:bc:6c:2c:19:87:dc:29:c1:8e:ab:d3: cf:6d:d5:2c:a8:9e:11:ea:81:b9:c0:d0:5d:28:a0: d8:fe:dd:fe:e2:4d:ad:a5:74:9a:42:40:c8:e8:9e: 92:37:c2:39:ec:4c:21:1c:88:69:ec:5c:77:1e:f0: 48:0e:8a:df:69:4b:af:6e:c4:cb:4f:80:02:e4:38: ea:ee:ad:bd:82:df:ae:47:a5:e5:39:7e:6f:18:65: 12:bd:a1:79:f7:f7:73:1a:8d:71:17:31:5b:f7:66: eb:e6:80:1e:4b:bf:65:33:7d:e7:2c:94:38:8c:13: ee:06:99:56:fd:f7:70:24:a0:4d:d5:c4:0f:df:48: 84:88:83:4f:c3:59:50:d2:e9:9b:f4:bc:02:c1:c1: 3f:ad Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: F1:A4:7E:2E:DA:2B:29:96:6C:B6:F1:2C:C5:CD:43:34:6D:2B:75:5E X509v3 Authority Key Identifier: keyid:43:52:6A:22:33:C4:67:E9:3B:17:DF:DD:20:5D:77:59:E1:C4:EC:67 Signature Algorithm: sha256WithRSAEncryption 72:85:da:b3:57:f6:4d:49:df:33:ae:f3:bd:58:99:d2:fc:ca: af:03:63:07:3a:16:f9:69:ea:50:db:97:30:d5:fe:71:a8:90: 4a:3c:88:04:49:b7:a3:14:6d:e1:14:8e:96:80:77:e8:6f:9c: 26:07:35:75:fa:d2:e5:48:93:b7:0c:64:7f:d4:29:32:f8:da: f1:6f:12:1b:8f:50:d3:e8:79:e0:ff:f0:86:80:bc:14:73:52: 21:c5:71:f2:70:ba:7b:db:11:4c:b7:9c:9e:b8:66:ed:4f:d8: 9b:b6:c3:d1:18:c6:e7:a2:25:f6:80:3d:02:b8:98:56:9c:80: 81:76:cb:f1:4a:c7:0d:4a:8b:7e:7b:41:e0:82:95:b5:bf:34: 2f:6f:8e:91:cf:43:40:c0:91:4d:43:9c:4a:c6:2f:bf:69:de: 5d:fa:a9:ed:1c:63:eb:85:a1:97:fa:53:95:f0:ac:a1:55:db: 72:61:eb:3f:dc:ff:2b:77:38:f5:c2:9e:26:ca:41:b4:67:b2: 9a:5d:b7:84:23:0d:89:b4:f3:f1:1b:e2:f5:55:f9:4b:bf:24: 40:2d:77:55:4d:b8:b0:76:23:50:e2:bc:74:9f:38:4c:27:42: a2:4d:3f:67:dc:ea:b3:d3:69:ee:85:2c:eb:ab:a0:f1:d2:29: a5:45:c1:a1 -----BEGIN CERTIFICATE----- MIIEUTCCAzmgAwIBAgIJAIr3X72Rptv0MA0GCSqGSIb3DQEBCwUAMIGUMQswCQYD VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTERMA8GA1UECgwIUml2ZXJiZWQx ETAPBgNVBAsMCFNlY3VyaXR5MSQwIgYDVQQDDBtzZWN1cml0eXNlcnZlci5yaXZl cmJlZC5jb20xJDAiBgkqhkiG9w0BCQEWFWFsdG9uLnl1QHJpdmVyYmVkLmNvbTAe Fw0xNjA1MjMwMDM0MDNaFw0xNzA1MjMwMDM0MDNaMIG9MQswCQYDVQQGEwJVUzET MBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzERMA8G A1UECgwIUml2ZXJiZWQxGzAZBgNVBAsMElRlY2ggTWFya2V0aW5nIExhYjErMCkG A1UEAwwiYWx0b24td2ViLXNlcnZlci5wb2QzLnRlY2hta3RnLmxhYjEkMCIGCSqG SIb3DQEJARYVYWx0b24ueXVAcml2ZXJiZWQuY29tMIIBIjANBgkqhkiG9w0BAQEF AAOCAQ8AMIIBCgKCAQEAmhc3O2hKXGBzxV+7QDmw7evfdvEcN8A6cYJd1hwEoSQc 1ibAzPMfUfm41GXy++xuh0IS5ewMOFORYoouHr4z6fTOjZL4gc29UmeFxuyF0ikz N6L72SMMR2LYiwMSEv+fYYOnmxg3jDeH8dxmvGwsGYfcKcGOq9PPbdUsqJ4R6oG5 wNBdKKDY/t3+4k2tpXSaQkDI6J6SN8I57EwhHIhp7Fx3HvBIDorfaUuvbsTLT4AC 5Djq7q29gt+uR6XlOX5vGGUSvaF59/dzGo1xFzFb92br5oAeS79lM33nLJQ4jBPu BplW/fdwJKBN1cQP30iEiINPw1lQ0umb9LwCwcE/rQIDAQABo3sweTAJBgNVHRME AjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0 ZTAdBgNVHQ4EFgQU8aR+LtorKZZstvEsxc1DNG0rdV4wHwYDVR0jBBgwFoAUQ1Jq IjPEZ+k7F9/dIF13WeHE7GcwDQYJKoZIhvcNAQELBQADggEBAHKF2rNX9k1J3zOu 871YmdL8yq8DYwc6Fvlp6lDblzDV/nGokEo8iARJt6MUbeEUjpaAd+hvnCYHNXX6 0uVIk7cMZH/UKTL42vFvEhuPUNPoeeD/8IaAvBRzUiHFcfJwunvbEUy3nJ64Zu1P 2Ju2w9EYxueiJfaAPQK4mFacgIF2y/FKxw1Ki357QeCClbW/NC9vjpHPQ0DAkU1D nErGL79p3l36qe0cY+uFoZf6U5XwrKFV23Jh6z/c/yt3OPXCnibKQbRnsppdt4Qj DYm08/Eb4vVV+Uu/JEAtd1VNuLB2I1DivHSfOEwnQqJNP2fc6rPTae6FLOuroPHS KaVFwaE= -----END CERTIFICATE----- Signed certificate is in newcert.pem
Now, you probably want to remove the passphrase from the certificate so that Apache or Nginx doesn’t ask you to input it each time you start the service. You can do this by running first backing up the key.pem and then running:
openssl rsa -in newkey.pem -out key.pem
alyu1-mbpr:~ alyu$ cp newkey.pem newkey.pem.orig alyu1-mbpr:~ alyu$ openssl rsa -in newkey.pem -out key.pem Enter pass phrase for newkey.pem: writing RSA key
Make sure you get the “writing RSA key” message. If you don’t, you’ll get a message like this:
alyu1-mbpr:~ alyu$ openssl rsa -in newkey.pem -out key.pemd Enter pass phrase for newkey.pem: unable to load Private Key 140735125303376:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:529: 140735125303376:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error:p12_decr.c:108: 140735125303376:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:p12_decr.c:139: 140735125303376:error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1 lib:pem_pkey.c:141:
You now have the necessary files. You’ll want to protect the files in some directory on the system and make them readable only by the web server.
cacert.pem – in the demoCA folder. You can rename it to cacert.crt and just double click on it in Windows or open it with the keychain in Mac and add it to your trusted certificates list.
newcert.pem – this is your certificate. In Apache, it will go with the “SSLCertificateFile” line in the /etc/apache2/sites-enabled/<site> file. In NGINX, it goes in the “ssl_certificate” line in the /etc/nginx/sites-enabled/<site> file.
key.pem – this is your private key file. In Apache, it will go with the SSLCertificateKeyFile” line in the same file. In NGINX, it goes in the ssl_certificate_key line.
Enable SSL on the web server and you should be all set!
