How to Create Self-signed SSL Certifcate using OpenSSL in Debian Etch and Ubuntu 8.04

What is SSL?

Secure Sockets Layer is an application-level protocol which was developed by the Netscape Corporation for the purpose of transmitting sensitive information, such as Credit Card details, via the Internet. SSL works by using a private key to encrypt data transferred over the SSL-enabled connection, thus thwarting eavesdropping of the information. The most popular use of SSL is in conjunction with web browsing (using the HTTP protocol), but many network applications can benefit from using SSL. By convention, URLs that require an SSL connection start with https: instead of http:.

What is OpenSSL?

OpenSSL is a robust, commercial-grade implementation of SSL tools, and related general purpose library based upon SSLeay, developed by Eric A. Young and Tim J. Hudson. OpenSSL is available as an Open Source equivalent to commercial implementations of SSL via an Apache-style license.

How SSL Work?

The following is an extremely simplified view of how SSL is implemented and what part the certificate plays in the entire process.

Normal web traffic is sent unencrypted over the Internet. That is, anyone with access to the right tools can snoop all of that traffic. Obviously, this can lead to problems, especially where security and privacy is necessary, such as in credit card data and bank transactions. The Secure Socket Layer is used to encrypt the data stream between the web server and the web client (the browser).

SSL makes use of what is known as asymmetric cryptography, commonly referred to as public key cryptography (PKI). With public key cryptography, two keys are created, one public, one private. Anything encrypted with either key can only be decrypted with its corresponding key. Thus if a message or data stream were encrypted with the server's private key, it can be decrypted only using its corresponding public key, ensuring that the data only could have come from the server.

If SSL utilizes public key cryptography to encrypt the data stream traveling over the Internet, why is a certificate necessary? The technical answer to that question is that a certificate is not really necessary--the data is secure and cannot easily be decrypted by a third party. However, certificates do serve a crucial role in the communication process. The certificate, signed by a trusted Certificate Authority (CA), ensures that the certificate holder is really who he claims to be. Without a trusted signed certificate, your data may be encrypted, however, the party you are communicating with may not be whom you think. Without certificates, impersonation attacks would be much more common.

Original article can be found here: http://slacksite.com/apache/certificate.php

How to generate self-signed certificate?

This tutorial assumes you already installed Debian/Ubuntu Linux and Apache2 web server in your server.

Self-signed Certificate can be used for testing purposes only and should not be used in a production site. Self-signed certificates are not automatically accepted by a user's browser. Therefore, users are prompted by the browser to accept the certificate and create the secure connection.

Install the ssl-cert package

apt-get install ssl-cert

Create a directory called ssl inside your /etc/apache2/ directory.

mkdir /etc/apache2/ssl

Use this command to generate self-signed certificate

make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/ssl/apache.pem

You can name the certificate whatever you like - I have chosen the name "apache.pem".
A simple ncurses dialogue will open asking various questions:

ssl certificate

Country:

ssl certificate

State or Province:

ssl certificate

Locality:

ssl certificate

Organisation Name:

ssl certificate

Organisational Unit Name:

ssl certificate

Host Name:

ssl certificate

and Email Address:

Enable Mod SSL

Now, lets enable the mod_ssl module
(For Debian only) Type this command:

echo "Listen 443" >> /etc/apache2/ports.conf

to tell Apache to accept SSL connections.

Ubuntu Hardy automatically generates the "Listen 443" in /etc/apache2/ports.conf once you enable the mod_ssl.

Listen 80

<IfModule mod_ssl.c>
    Listen 443
</IfModule>

Sample of /etc/apache2/ports.conf in Ubuntu Hardy with mod_ssl enabled.

Then run this command to enable mod_ssl

a2enmod ssl
/etc/init.d/apache2 restart

Configuring your SSL Host

We are almost finished, the final step we need to do is to ensure that your virtual host, will accept SSL options. Just copy your default virtual host configuration and specify a different name. I used the name "secure" here.

cp /etc/apache2/sites-available/default /etc/apache2/sites-available/secure

Edit the file

vi /etc/apache2/sites-available/secure

basically, you only need to add these couple lines in your configuration.

SSLEngine On
SSLCertificateFile /etc/apache2/ssl/apache.pem

The secure host configuration will look like this:

NameVirtualHost *:443
<VirtualHost *:443>
        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/
        SSLEngine On
        SSLCertificateFile /etc/apache2/ssl/apache.pem
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
        <Directory /var/www/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride None
                Order allow,deny
                allow from all
        </Directory>
        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
        <Directory "/usr/lib/cgi-bin">
                AllowOverride None
                Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Order allow,deny
                Allow from all
        </Directory>

Now edit your /etc/apache2/sites-enabled/000-default file and change these lines:

    NameVirtualHost *
    <VirtualHost *>

to

    NameVirtualHost *:80
    <VirtualHost *:80>

Finally, enable your secure host and restart your apache server...

a2ensite secure
/etc/init.d/apache2 restart

Done...
Sources:
https://help.ubuntu.com/community/OpenSSL
http://slacksite.com/apache/certificate.php
http://linuxadministration.us/2008/01/08/debianubuntu-apache2-php5-mysql-ssl/