When generating an Apache (mod_ssl) SSL certificate, you have two options:
- Purchase a SSL certificate from a certificate authority (CA). Searching the Web for “certificate authority” will present several choices.
- Generate a self-signed certificate. This option costs nothing and provides the same level of encryption as a certificate purchased from a certificate authority (CA). However, this option can be a mild annoyance to some users, because Internet Explorer (IE) issues a harmless warning each time a user visits a site that uses a self-signed certificate.
Regardless of which option you select, the process is almost identical.
- Know the fully qualified domain name (FQDN) of the website for which you want to request a certificate. If you want to access your site through
https://www.example.com, then the FQDN of your website is
www.example.com.This is also known as your common name.
- Generate the key with the SSL
openssl genrsa -out www.example.com.key 1024
This command generates a 1024 bit RSA private key and stores it in the file
www.example.com.key.Tip: Back up your www.example.com.key file, because without this file, your SSL certificate will not be valid.
- Generate the CSR with SSL
openssl req -new -key www.example.com.key -out www.example.com.csr
This command will prompt you for the X.509 attributes of your certificate. Give the fully qualified domain name, such as
www.example.com, when prompted for
Common Name.Do not enter your personal name here. It is requesting a certificate for a webserver, so the
Common Namehas to match the FQDN of your website.
- Generate a self-signed certificate.
openssl x509 -req -days 370 -in www.example.com.csr -signkey www.example.com.key -out www.example.com.crt
This command will generate a self-signed certificate in
You will now have an RSA private key in
www.example.com.key, a Certificate Signing Request in
www.example.com.csr, and an SSL certificate in
www.example.com.crt. The self-signed SSL certificate that you generated will be valid for 370 days.