Generating a self-signed SSL certificate for Apache

12 November 2011

1. Generate a private key

openssl genrsa -out server.key 1024

(If you’re concerned about security you should also look at the -des3 and -rand options – see here - otherwise I’ve found this works fine for testing.)

2. Generate a certificate signing request

openssl req -new -key server.key -out server.csr

Answer the questions when prompted – e.g.

Country Name: UK
State or Province Name: England
Locality Name: blank
Organization Name: DaveJamesMiller.com
Organizational Unit Name: blank
Common Name: secure.davejamesmiller.com (Enter the domain name)
Email Address: me@example.com

The only one that really matters for a self-signed certificate is the Common Name field, which should be set to the domain name.

3. Self-sign the certificate

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

This will be valid for 365 days, but you could increase that if you want to.

4. Configure Apache

This will depend on how your distro is set up, but it will look something like this:

<VirtualHost *:443>
  ServerName secure.davejamesmiller.com
  DocumentRoot /var/www/secure/
  SSLEngine on
  SSLCertificateFile /path/to/server.crt
  SSLCertificateKeyFile /path/to/server.key
</VirtualHost>