Creating a Self-Signed SSL certificate is a nice option when you need to run a quick https test for a web site. Lets take a look on how we can make one.
I’ll be using OpenSSL toolkit. I’m on Windows therefore package can be ataken from here: http://gnuwin32.sourceforge.net/packages/openssl.htm
“openssl-0.9.8h-1-setup.exe” executable by default drops everything here: “C:\Program Files\GnuWin32\bin”. Or, if you are on 64 bit OS, then here: “C:\Program Files (x86)\GnuWin32\bin”.
OpenSSL package comes with a default config file – openssl.cnf. It is located in the “share” folder, in my case here: “C:\Program Files\GnuWin32\share”. Config file holds important settings that are used to generate the certificate. We need to comment “attributes” parameter line, otherwise an error will be presented. I also set the default length to 2048, but this one can be controlled with the command line parameters:
Now, navigate to the openssl.exe location: cd “C:\Program Files\GnuWin32\bin”. We will be doing everything from here.
So, normaly you would generate your Private key and a Certificate Signing Request (CSR) on your Web server and send them to the certificate authority, but here we’ll be doing everything in one place.
Just to remind you, SSL is using a Private/Public key pair – data is encrypted by one key but can only be decrypted by the other key of the pair. So, the very first step is to create a Private Key:
openssl genrsa -out server.key 2048
The higher the bit length of your key, the higher the security level. A 2048-bit key is the minimum these days [1024 is not secure anymore]. Here’s how my Private key looks:
Obveously you should never show your Private key to anyone 🙂
Next, we need a CSR. A Certificate Signing Request is an encrypted text that contains information that will be included in your certificate such as your organization name, common name, country, etc.
Release the below command and answer all the questions, pay attention to the Common Name, this is your Web server address:
openssl req -new -key server.key -out server.csr
We are almost there 🙂
There is one important thing missing – our created SSL certificate [with the Public Key] is separated from the Private Key. We need to combine both in a so called PFX file. The PFX file is a PKCS#12 archive that contains a certificate [Public Key] and the corresponding Private Key protected by a password. PFX can be used in IIS. So lets do it:
openssl pkcs12 -export -in server.crt -inkey server.key -out server.pfx