75

I've set up SSL on my webserver, now I need two files:

  • a certificate
  • a certificate Key

How do I create a self-signed certificate for testing purposes?

Stefano Palazzo
  • 85,787
  • 45
  • 210
  • 227

3 Answers3

110

Ubuntu, even the 'minimal' flavour, comes with the ssl-cert package pre-installed, which means you don't need to do anything.

The files you're looking for are already on your system:

/etc/ssl/certs/ssl-cert-snakeoil.pem
/etc/ssl/private/ssl-cert-snakeoil.key


Advanced:

If for some reason you need to create a fresh certificate, you can run

sudo make-ssl-cert generate-default-snakeoil --force-overwrite

If you want to change the expiration date of you certificate, you can manipulate the make-ssl-cert script at /usr/sbin/make-ssl-cert. Around like 124 there's a line similar to this:

openssl req -config $TMPFILE -new -x509 -nodes \

Where you can change the expiration date by adding the -days argument:

openssl req -config $TMPFILE -new -days 365 -x509 -nodes \

More options can be found in the manual page of req.

Lekensteyn
  • 171,743
  • 65
  • 311
  • 401
Stefano Palazzo
  • 85,787
  • 45
  • 210
  • 227
  • 13
    ubuntu-server 12.04 ( AMI cloud image) doesn't have ssl-cert installed by default have it. But once ssl-cert is installed - /etc/ssl/certs/ssl-cert-snakeoil.pem becomes available automatically. – Stann May 03 '12 at 21:24
  • make-ssl-cert takes the key length (and other settings) to use from `/usr/share/ssl-cert/ssleay.cnf`. – Tim Smith Apr 08 '14 at 04:23
  • In attempting to test a website in a local vagrant VM instance, I wanted to Google Chrome to act as if it was a totally normal certificate. I had to first set the VM's hostname to match the testing url (e.g. `www.test.mydomain.com`) using the `hostname` command in the VM CLI. Then regenerating the key as you suggest, with `--force-overwrite`, the key's Common Name (CN) then matched the testing url. Finally, on the host machine, installing the key as a Trusted Root Certificate Authority (in Chrome's Settings/Advanced) gave me the coveted green address bar. – Buttle Butkus Apr 02 '17 at 07:31
  • 1
    my 9-year old cert stopped working with my upgrade to debian 10, so the `make-ssl-cert` command saved the day for me! – Jayen Aug 28 '19 at 08:22
  • 1
    Also, nginx on ubuntu has `/etc/nginx/snippets/snakeoil.conf` that sets up paths to certificate files generated by `ssl-cert`. – kolen Apr 14 '20 at 17:55
  • In a ubuntu 16.04 server `make-ssl-cart` was not installed. so I installed it with this command: `$ sudo apt-get install -y ssl-cert`. Thanks a lot. – mahfuz Jun 24 '20 at 03:58
23

As already mentioned, Ubuntu Server comes with the necessary tools. Depending on your server version you'll have to look up the specific documentation. I'll try to summarize the self-signed certificate generation process of the current LTS (12.04).

First you generate the keys for the Certificate Signing Request (CSR):

openssl genrsa -des3 -out server.key 2048

It's up to you to enter a passphrase or not. If you do, everytime you (re)start a service usign that certificate, you'll have to provide the passphrase. Otoh you can create an "insecure" key without a passphrase from the secure one:

openssl rsa -in server.key -out server.key.insecure
# shuffle the key names to continue without passphrases
mv server.key server.key.secure
mv server.key.insecure server.key

And now you'll create the CSR from the key. With the CSR and the key a self-signed certificate can be generated:

openssl req -new -key server.key -out server.csr
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

The last step consists of installing the certificate and the key, in Debian/Ubuntu usually in /etc/ssl:

sudo cp server.crt /etc/ssl/certs
sudo cp server.key /etc/ssl/private

And finally the applications using the certificate/key have to be configured accordingly.

nietonfir
  • 331
  • 4
  • 7
0

The other answers are good, but if for some reason you dont have the listed tools, or dont want to use them, I found an open source tool that is very simple:

minica -domains localhost

This will create key file minica-key.pem and cert file minica.pem. The tool for creating these is just a single file in the Go language, with no external dependencies:

https://github.com/jsha/minica

Zombo
  • 1
  • 21
  • 21