How do I generate self signed certificates for Apache?

*UPDATED

Now replaced with a simple one line command:

openssl req -newkey rsa:1024 -keyout my.servername.key -nodes -x509 -days 999 -out my.servername.crt

The above command will generate a self signed certificate and key (used for signing the certificate)

OLD Method:

Generating SSL keys for use with Apache.

Two files are required to generate your own secure key (.crt)

1) The certificate authority (ca.key)

2) The certificate request (certreq.csr)

This FAQ demonstrates how to create a self signed certificate using the above mentioned files (which are self generated).

Create a working directory in which to create your keys. I use /root/certs/

Important! Backup your existing certificates and key files (if any).

Generate the key with the following commands:

******* Short version *******

$ openssl genrsa -des3* -out ca.key

*Note: Omit the des3 option if you don’t want to be prompted for the passphrase each time you server starts (and you generally don’t)

$ openssl req -new -key ca.key -out certreq.csr

$ openssl x509 -req -days 30 -in certreq.csr  -signkey ca.key -out www.example.com.crt

******* Long version *******

Create a key with which you will sign all requests against.

This command will generate a 1024 bit RSA private key and store it in the file ca.key

$ openssl genrsa -des3* ca.key 1024

*Note: Omit the des3 option if you don’t want to be prompted for the passphrase each time you server starts (and you generally don’t)

Generate the certificate request file (CSR) with the following command:

Note: You will now be prompted for Country, region and domain information – complete the fields as requested.

The following two fields can be safely left blank:

A challenge password []:
An optional company name []:

$ openssl req -new -key ca.key -out certreq.csr

Generate the self-signed certificate:

$ openssl x509 -req -days 30 -in certreq.csr -signkey ca.key -out www.example.com.crt

This command will generate a certificate a self-signed certificate named www.example.com.crt in the current directory.

Change www.example.com in the examples above to match the fully qualified hostname of your server.

Edit /etc/conf.d/ssl.conf and install the certificates as below:

SSLCertificateFile /path/to/your/www.example.com.crt

SSLCertificateKeyFile /path/to/your/www.example.com.key

Depending on your server configuration, the above may be in /etc/ssl or /etc/httpd/ssl or similar.

When you receive your real certificate, you will install it in place of your self-signed certificate at /path/to/your/

For your certificate to take an effect, you will need to restart the Apache web server.

Detailed installation instructions can be found in the INSTALL files in all three mod_ssl packages.

www.example.crt is your self-signed certificate.

You can use it as a temporary certificate while you are waiting for a real certificate from your SSL provider.

You install it by updating the virtual host section (or ssl.conf) of your Apache configuration for www.example.com.

We are requesting a certificate for a webserver, so the Common Name has to match the FQDN of your website (a requirement of the browsers).The file ca.key is your secret key, and must be installed as per the instructions that come with mod_ssl.

The file certreq.csr is your CSR.

admin has written 90 articles