SSL TLS Self-Signed

An self signed certificate is where by you verify the SSL yourself, this type of certificate is free and it enables you to benefit from the SSL connection, however you will get an browser warning saying the certificate itself isn’t trusted. This is true as no one as vouched for the authenticity of the certificate.

We will now look to create our very own SSL self-signed certificate. First we will have an server with Ubuntu 14.04 LTS installed. Afterwards we will also install apache.

Now we will look to create the certificate, we will create an certificate which will be valid for 1 year. The command to create this is:

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout mysuperweb.key -out mysuperweb.crt

This has been replaced with the following command for SHA2:

openssl req -x509 -nodes -sha256 -days 365 -newkey rsa:2048 -keyout mysuperweb.key -out mysuperweb.crt

Keys to be created with 4096 bits.

openssl req -x509 -nodes -sha256 -days 365 -newkey rsa:4096 -keyout mysuperweb.key -out mysuperweb.crt

Added metadata to the certificate.

openssl req -x509 -nodes -sha256 -days 365 -newkey rsa:4096 -keyout mysuperweb.key -out mysuperweb.crt -subj "/C=GB/ST=London/L=London/O=mysuperweb/OU=Infrastructure Operations/CN=mysuperweb.co.uk"

It will now ask you some questions regarding the certificate. They are as follows:

Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:mysuperweb
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:mysuperweb.co.uk
Email Address []:

You can enter any informatoin for the certificate, the common name is very important as it will be for your website. You would write the domain name of the website you wish to use your self-signed certificate. At the end of this, we will be presented with 2 files called:

mysuperweb.key and mysuperweb.crt

At this stage our self-signed certificate is ready. We need to enable apache to read the certificates. To do this, we will edit:

/etc/apache2/sites-available/000-default.conf

<VirtualHost *:80>
        # The ServerName directive sets the request scheme, hostname and port that
        # the server uses to identify itself. This is used when creating
        # redirection URLs. In the context of virtual hosts, the ServerName
        # specifies what hostname must appear in the request's Host: header to
        # match this virtual host. For the default virtual host (this file) this
        # value is not decisive as it is used as a last resort host regardless.
        # However, you must set it for any further virtual host explicitly.
        #ServerName www.example.com

        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html

        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf
</VirtualHost> 

For this file we will edit the port 80 so it is port 443 for HTTPS. This in essence will disable all HTTP request on the server in favor of HTTPS. To keep things organized, we will keep the self-signed certificate in the apache folder of /etc/apache2/ssl. We will now add the self-signed SSL into the apache configuration with the following lines:

        SSLEngine on
        SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
        SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
        SSLCertificateFile /etc/apache2/ssl/mysuperweb.crt
        SSLCertificateKeyFile /etc/apache2/ssl/mysuperweb.key

Now we have our self-signed SSL and configured apache2 to read the certificate. There is still 2 more things which we need to do, the first is to enable the apache SSL module. By default apache2 doesn’t turn this on. We can enable it by running the command:

a2enmod ssl

Considering dependency setenvif for ssl:
Module setenvif already enabled
Considering dependency mime for ssl:
Module mime already enabled
Considering dependency socache_shmcb for ssl:
Enabling module socache_shmcb.
Enabling module ssl.
See /usr/share/doc/apache2/README.Debian.gz on how to configure SSL and create self-signed certificates.
To activate the new configuration, you need to run:
  service apache2 restart

The second and last thing is to restart apache which is mentioned above. Now we have an fully functional SSL certificate which has been self-signed. As mentioned there will be an browser warning from this type of SSL certificate.