Creating a Self-Signed Certificate (Linux Apache)
Contents
Overview
A self-signed SSL certificate is a certificate that is signed by the person who created it rather than a trusted certificate authority. Self-signed certificates can have the same level of encryption as the Trusted CA-signed SSL certificate.
Typically, the self-signed certificates are used for testing purposes or internal usage. You should not use a self-signed certificate in production systems that are exposed to the Internet.
Free Trusted CA certificates can be obtained from Let's Encrypt. The Certbot client can be used to carry out or assist in the process of getting and setting up the certificate.
See Also
Apache Module for Linux, Creating a Self-Signed Certificate (Windows IIS), ISAPI Extension for IIS, Lianja Server Manager on Linux, Lianja Server Manager on Windows, Progressive Web Apps
Centos
The following package are required:
$ sudo yum install mod_ssl openssl
See Apache Module for Linux for information on installing and configuring the Lianja module.
Create Certificate
Use the openssl req command to create a self-signed certificate:
Issue the command, e.g. for my site 'centos-8.lianja.local':
$ sudo openssl req -newkey rsa:4096 -x509 -sha256 -days 365 -nodes \ -addext "subjectAltName = DNS:centos-8.lianja.local" \ -out localhost.crt -keyout localhost.key
Then enter the information at the prompts.
Note: the '-addext "subjectAltName = DNS:<valid name>"' must be included to allow the certificate to be subsequently imported into Chrome.
See here for full details of the openssl req command.
Once the files have been created - here 'localhost.crt' and 'localhost.key' - copy them to the locations specified in the /etc/httpd/conf.d/ssl.conf file:
$ sudo cp localhost.crt /etc/pki/tls/certs $ sudo cp localhost.key /etc/pki/tls/private
Then restart Apache:
$ sudo systemctl restart httpd
and make sure the Lianja Server is running:
$ sudo lianja-admin status
and start if not:
$ sudo lianja-admin start
Chrome
Seeing unexpected results in your browser?
Always worth clearing your cache and reloading.
Loading your https site in Chrome will initially report a NET::ERR_CERT_AUTHORITY_INVALID error as the self-signed certificate is not issued by a trusted authority.
Click the red triangle, then 'Certificate' to display the certificate:
In the certificate 'Details' tab, click 'Export...':
Save it to a convenient location:
Open Chrome Settings and search for 'cert':
Then click on 'Manage certificates':
Select the 'Authorities' tab and click 'Import':
Select the exported certificate file and click 'Open':
Check the box for 'Trust this certificate for identifying websites' and click 'OK':
Restart Chrome and reload your https site:
To set the start page to the Lianja login page (login.rsp), add the following to the /etc/httpd/conf.d/ssl.conf file:
<Location "/">
Redirect permanent "/index.html" "/login.rsp"
</Location>
Ubuntu
See Apache Module for Linux for information on installing and configuring the Lianja module.
- Create a self-signed certificate using openssl
- Update the site configuration file with the location of the certificate files
- Import the certificate into Chrome
Create Certificate
Use the openssl req command to create a self-signed certificate:
Issue the command, e.g. for my site 'ubuntu20.lianja.local':
$ sudo openssl req -newkey rsa:4096 -x509 -sha256 -days 365 -nodes \ -addext "subjectAltName = DNS:ubuntu20.lianja.local" \ -out devtest.crt -keyout devtest.key
Then enter the information at the prompts.
Note: the '-addext "subjectAltName = DNS:<valid name>"' must be included to allow the certificate to be subsequently imported into Chrome.
See here for full details of the openssl req command.
Once the files have been created - here 'devtest.crt' and 'devtest.key' - copy them to an appropriate directory, e.g.
$ sudo mkdir /etc/apache2/ssl $ sudo cp devtest.* /etc/apache2/ssl
Site Configuration File
Once the certificate has been created and the files are in your desired location, create / edit your site conf file and add in the SSLCertificateFile and SSLCertificateKeyFile entries to point to the files.
<VirtualHost *:443>
ServerAdmin webmaster@localhost
ServerName lianja.local
ServerAlias 192.168.80.136
DocumentRoot /opt/lianja/cloudserver/tenants/public/wwwroot/
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/devtest.crt
SSLCertificateKeyFile /etc/apache2/ssl/devtest.key
<Directory /opt/lianja/cloudserver/tenants/public/wwwroot/>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
<Location "/">
Redirect permanent "/index.html" "/login.rsp"
</Location>
</VirtualHost>
Note: the above virtual site configuration includes entries for the Directory to point to the Lianja wwwroot directory and a Redirect to load the Lianja login page if no page or the default index.html page is requested. See Apache Module for Linux for information on installing and configuring the module.
Chrome
Seeing unexpected results in your browser?
Always worth clearing your cache and reloading.
Loading your https site in Chrome will initially report a NET::ERR_CERT_AUTHORITY_INVALID error as the self-signed certificate is not issued by a trusted authority.
Click the red triangle, then 'Certificate' to display the certificate:
In the certificate 'Details' tab, click 'Export...':
Save it to a convenient location:
Open Chrome Settings and search for 'cert':
Then click on 'Manage certificates':
Select the 'Authorities' tab and click 'Import':
Select the exported certificate file and click 'Open':
Check the box for 'Trust this certificate for identifying websites' and click 'OK':
Restart Chrome and reload your https site:
Note: here the index page has been redirected to the Lianja login page. See the conf file above.
