Generating Self Signed SSL Certificates

Problem

One problem that I found when creating self signed SSL certificates was trying to remembering all the qualifiers that OpenSSL supports and requires. When generating a self signed SSL certification you usually have to refer to the OpenSSL man page(s) or usage help, however, it can be simpler.

Solution

The solution to this problem is very simple, the Apache daemon that is packaged with SUSE contains a shell script called: “gensslcert“. This shell script generates SSL certificates and moves them into the appropriate directories. The “gensslcert” command by default will generate a certificate based on some system details such as your hostname, once the certificate has been generated the files are copied to the appropriate directories for the Apache web server as shown in Figure 1.

fmv-s8230-sk:~ # gensslcert
comment         mod_ssl server certificate
name
C               XY
ST              unknown
L               unknown
U               web server
O               SuSE Linux Web Server
CN              linux-m899.site
email           webmaster@linux-m899.site
srvdays         730
CAdays          2190

creating CA key ...
203370 semi-random bytes loaded
Generating RSA private key, 2048 bit long modulus
....................................................................................................................+++
...................................................................................+++
e is 65537 (0x10001)

creating CA request/certificate ...
`/etc/apache2/ssl.crt/ca.crt' -> `/srv/www/htdocs/CA.crt'

creating server key ...
203370 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
....++++++
......++++++
e is 65537 (0x10001)

creating server request ...
creating server certificate ...
Signature ok
subject=/C=XY/ST=unknown/L=unknown/O=SuSE Linux Web Server/OU=web server/CN=linux-m899.site/emailAddress=webmaster@linux-m899.site
Getting CA Private Key

Verify: matching certificate & key modulus

Verify: matching certificate signature
/etc/apache2/ssl.crt/server.crt: OK

Figure 1: Generating a default SSL certificate.

As you can see from Figure 1 miscellaneous data was used to generate the SSL certificate. The “gensslcert” command has a qualifiers for each field that is require to generate a SSL certificate, Table 1 list the qualifiers that are available. Figure 1.2 shows the command used to generate a SSL certificate with our appropriate data.

Table 1: “gensslcert” Qualifiers.

fmv-s8230-sk:~ # gensslcert -C "exaple.com" -N "This is an example certificate" -c GB -o "Example Inc" -u "Web Development" -n "www.example.com" -e "root@example.com"
comment         This is an example certificate
name            exaple.com-
C               GB
ST              unknown
L               unknown
U               Web Development
O               Example Inc
CN              www.example.com
email           root@example.com
srvdays         730
CAdays          2190

creating CA key ...
203370 semi-random bytes loaded
Generating RSA private key, 2048 bit long modulus
.......................................................+++
............................................................................+++
e is 65537 (0x10001)

creating CA request/certificate ...
`/etc/apache2/ssl.crt/exaple.com-ca.crt' -> `/srv/www/htdocs/EXAPLE.COM-CA.crt'

creating server key ...
203370 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
................................++++++
..............++++++
e is 65537 (0x10001)

creating server request ...
creating server certificate ...
Signature ok
subject=/C=GB/ST=unknown/L=unknown/O=Example Inc/OU=Web Development/CN=www.example.com/emailAddress=root@example.com
Getting CA Private Key

Verify: matching certificate & key modulus

Verify: matching certificate signature
/etc/apache2/ssl.crt/exaple.com-server.crt: OK

Figure 1.2: Customized SSL certificate.

As you can see from Figure 1.2 the defaults have been replaced with the appropriate data, if you now start your Apache web server with SSL you should be able to see your newly created certificate.