How to make your own SSL certificates

Hello everybody,
First of all, may I wish you a Merry Merry Christmas, and a joyful new year!

---

Today, I'm going to talk about how to create your own SSL certificates. Before making your own SSL certificates, be aware that your own certificates are not identified by the browser as they are not signed by a known issuer authority. Some examples for these authorities are Verisign, Thawte and Geotrust. When you try to visit a URL which uses a such (not issued by a known authority) certificate, you'll get the following (or similar) message from the browser, but you can continue. This happens for your own security because the browser does not know the issuer.

OK, now let us see how to make your own certificate. All you need is to go through these easy and simple three steps.

1. Create a Private Key
2. Create the Certificate Signing Request (CSR)
3. Create the Self-Signed Certificate

Note:
Most of the undergraduates of UCSC (including me) use XAMPP, so if you run XAMPP, here are the places where openssl can be found. If you use any other tool, please refer the documentation of that tool to find where openssl is located.

• If you use Linux, openssl is available at $PROGRAM_INSTALLATION_DIR/lampp/bin/openssl
• If you use Windows, openssl is available at $PROGRAM_INSTALLATION_DIR\apache\bin\openssl.exe

Use the command line interface (terminal/ konsole/ command prompt or whatever) and cd to the appropriate directory before following these instrictions.

Create a Private Key
A file called a RSA private key is needed to generate the CSR. This file is encrypted using the Triple DES algorithm and the size is 1024 bytes.

openssl genrsa -des3 -out localhost.key 1024

genrsa tells the openssl application to generate a RSA key.
-des3 is the algorithm which we use to encrypt
localhost.key is the output file and 1024 is the size (in bytes) of the output file

You willa be asked to provide a pass-phrase, which secures your key file. You may require to enter this key each time you start the server. If you feel this is inconvenient (of course I feel so), then you can simply omit the -des3 switch from the above command line to bypass the pass-phrase.
The generated file contains ASCII charaters only and may look like the following:

-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQDTwBGpAta4XCfP27CccOCzNSPMDD3a7EqEvcqLUhmTIrBblFMV
.
.
.
OYieK2ptnwiPPmh7mqkyHmlXFuhe9pQrG4GQ7CG66Mk=
-----END RSA PRIVATE KEY-----


Create a Certificate Signing Request (CSR)
Now, to get a signed certificate from an authority, you have to make a certificate signing request. This request is stored in a file called the CSR, and then submitted to the Certificate Signing Authority. You can send it to VeriSign if you have thousands of dollars to spend :D , or you can sign it yourself. It is known convention that governments and organizations may have their own self signed certificates.

To make the CSR, enter the following command:

openssl req -new -key localhost.key -out localhost.csr

localhost.key is the name of the RSA key file we have generated in the previous step.
localhost.csr is the name of the CSR file that we generate.

Then you will be asked to enter some necessary information to generate the CSR. I am not going to explain them as they are almost self-explanatory.

Create the Self-Signed Certificate
Self-signed certificates are mostly used by non-commercial organizations and also used for testing porposes. To make your own self-signed certificate, enter the following command:

openssl x509 -req -days 365 -in localhost.csr -signkey localhost.key -out localhost.crt

x509 is the structure (or format) of the certificate.
-days specifies how manay days may the certificate remain valid.
-in specifies the request file to be read and localhost.csr is the name of the CSR we have made in the previous step.
-signkey specifies the RSA key file to be read and localhost.key is the name of the RSA key file we have generated in the first step.
localhost.crt is the name of the final output, which is the certificate file.

Congratulations! You are almost done generating your self-signed SSL certificate. Now the next step is to install the generated certificate on your server to make use of it. To do that you will need the RSA key file and the certificate (crt) file. I will explain the installation procedure in my next blog post. If you need further clarifications or if you have any questions regarding this article, please leave a comment below.

Thank you for reading, happy holidays!