plainblack.com
Username Password
search
Bookmark and Share
Subscribe

Turn on HTTPS with a self-signed SSL certificate

Normally you need to pay money to purchase an SSL certificate. However for a development site, it's handy to be able to generate your own self-signed SSL certificate for testing purposes. You could of course use this technique on a public site too if you like, but browsers will complain to end users that your certificate hasn't been generated by a trusted authority.

If you are looking help on how to install an SSL certificate you have purchased from a Certificate Authority, see the artice: configuring webgui for ssl (https)

Make a directory somewhere to store your certificates.

mkdir /data/self-signed
cd /data/self-signed

 

Now run the following commands:

# Certificate Authority (CA)
openssl genrsa -des3 -out ca.key 4096 # use 123qwe for password
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt # Organization Name should be unique, defaults for everything else
# Server
openssl genrsa -des3 -out server.key 4096 # use 123qwe for password
openssl rsa -in server.key -out server.key # remove password
# Certificate Signing Request
openssl req -new -key server.key -out server.csr # Common Name is your domain name, Organization Name should be unique, rest defaults
openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt

Uncomment the SSL section of /data/wre/etc/modproxy.conf, and update the following two lines to point at the files we created (modify the paths to suit):

SSLCertificateFile    /data/self-signed/server.crt
SSLCertificateKeyFile /data/self-signed/server.key

That's it! From there you can follow the normal WebGUI process for turning on SSL, such as enabling the sslEnabled setting in your site config file.

Since the certificate is self-signed, most browsers will warn/complain and/or make you jump through some hoops before you can access your site over https.

Note:
If you're running more virtual hosts, you'll need a certificate for each host, and

  • Don't run the CA commands again (the same server.key can be used for multiple hosts).
  • Change "server" to another appropriate name for the next host.
  • Count up the serial number, since different certificates from the same CA need different serial numbers.

Keywords: https ssl self-signed

Search | Most Popular | Recent Changes | Wiki Home
© 2018 Plain Black Corporation | All Rights Reserved