Advanced Certs & Security
From: https://askubuntu.com/questions/49196/how-do-i-create-a-self-signed-ssl-certificate
Answer 1
Ubuntu, even the 'minimal' flavour, comes with the ssl-cert package
pre-installed, which means you don't need to do anything.
The files you're looking for are already on your system:
/etc/ssl/certs/ssl-cert-snakeoil.pem
/etc/ssl/private/ssl-cert-snakeoil.key
Advanced:
If for some reason you need to create a fresh certificate, you can run
sudo make-ssl-cert generate-default-snakeoil --force-overwrite
If you want to change the expiration date of you certificate, you can manipulate
the make-ssl-cert script at /usr/sbin/make-ssl-cert. Around like 124 there's a
line similar to this:
openssl req -config $TMPFILE -new -x509 -nodes \
Where you can change the expiration date by adding the -days argument:
openssl req -config $TMPFILE -new -days 365 -x509 -nodes \
Answer 2
ubuntu-server 12.04 ( AMI cloud image) doesn't have ssl-cert installed by
default have it. But once ssl-cert is installed -
/etc/ssl/certs/ssl-cert-snakeoil.pem
becomes available automatically. – Stann May 3, 2012 at 21:24
make-ssl-cert takes the key length (and other settings) to use from
/usr/share/ssl-cert/ssleay.cnf.
– Tim Smith Apr 8, 2014 at 4:23
In attempting to test a website in a local vagrant VM instance, I wanted to
Google Chrome to act as if it was a totally normal certificate. I had to first
set the VM's hostname to match the testing url (e.g. www.test.mydomain.com)
using the hostname command in the VM CLI. Then regenerating the key as you
suggest, with --force-overwrite, the key's Common Name (CN) then matched the
testing url. Finally, on the host machine, installing the key as a Trusted Root
Certificate Authority (in Chrome's Settings/Advanced) gave me the coveted green
address bar. – Buttle Butkus Apr 2, 2017 at 7:31
my 9-year old cert stopped working with my upgrade to debian 10, so the
make-ssl-cert command saved the day for me! – Jayen Aug 28, 2019 at 8:22
Also, nginx on ubuntu has /etc/nginx/snippets/snakeoil.conf that sets up paths
to certificate files generated by ssl-cert. – kolen Apr 14, 2020 at 17:55
Answer 3
As already mentioned, Ubuntu Server comes with the necessary tools. Depending on
your server version you'll have to look up the specific documentation. I'll try
to summarize the self-signed certificate generation process of the current LTS
(12.04).
First you generate the keys for the Certificate Signing Request (CSR):
openssl genrsa -des3 -out server.key 2048
It's up to you to enter a passphrase or not. If you do, everytime you (re)start
a service usign that certificate, you'll have to provide the passphrase. Otoh
you can create an "insecure" key without a passphrase from the secure one:
openssl rsa -in server.key -out server.key.insecure
# shuffle the key names to continue without passphrases
mv server.key server.key.secure
mv server.key.insecure server.key
And now you'll create the CSR from the key. With the CSR and the key a
self-signed certificate can be generated:
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
The last step consists of installing the certificate and the key, in
Debian/Ubuntu usually in /etc/ssl:
sudo cp server.crt /etc/ssl/certs
sudo cp server.key /etc/ssl/private
And finally the applications using the certificate/key have to be configured
accordingly.
Answer 4
The other answers are good, but if for some reason you dont have the listed
tools, or dont want to use them, I found an open source tool that is very
simple:
minica -domains localhost
This will create key file minica-key.pem and cert file minica.pem. The tool for
creating these is just a single file in the Go language, with no external
dependencies:
https://github.com/jsha/minica