When generating an Apache (mod_ssl) SSL certificate, you have two options:
- Purchase a SSL certificate from a certificate authority (CA). Searching the Web for “certificate authority” will present several choices.
- Generate a self-signed certificate. This option costs nothing and provides the same level of encryption as a certificate purchased from a certificate authority (CA). However, this option can be a mild annoyance to some users, because Internet Explorer (IE) issues a harmless warning each time a user visits a site that uses a self-signed certificate.
Regardless of which option you select, the process is almost identical.
- Know the fully qualified domain name (FQDN) of the website for which you want to request a certificate. If you want to access your site through
https://www.example.com
, then the FQDN of your website iswww.example.com
.This is also known as your common name. - Generate the key with the SSL
genrsa
command.openssl genrsa -out www.example.com.key 1024
This command generates a 1024 bit RSA private key and stores it in the file
www.example.com.key
.Tip: Back up your www.example.com.key file, because without this file your SSL certificate will not be valid. - Generate the CSR with SSL req command.
openssl req -new -key www.example.com.key -out www.example.com.csr
This command will prompt you for the X.509 attributes of your certificate. Give the fully qualified domain name, such as
www.example.com
, when prompted forCommon Name
.Do not enter your personal name here. It is requesting a certificate for a webserver, so theCommon Name
has to match the FQDN of your website. - Generate a self-signed certificate.
openssl x509 -req -days 370 -in www.example.com.csr -signkey www.example.com.key -out www.example.com.crt
This command will generate a self-signed certificate in
www.example.com.crt
.
You will now have an RSA private key in www.example.com.key
, a Certificate Signing Request in www.example.com.csr
, and an SSL certificate in www.example.com.crt
. The self-signed SSL certificate that you generated will be valid for 370 days.