Create a valid SSL certificate

Posted by Eric Scheibler at April 25, 2015

This article describes briefly, how to create a valid, self signed SSL certificate, which for example is required by web servers. Tested under Debian Wheezy.

To create the certificate you must perform some changes at the OpenSSL config file first:

sudo vim /etc/ssl/openssl.cnf
[...]
[ CA_default ]
[...]
# Extension copying option: use with caution.
copy_extensions = copy
[...]
[ v3_ca ]
[...]
# Include email address in subject alt name: another PKIX recommendation
# subjectAltName=email:copy
subjectAltName = @alt_names
[...]

Then add the following lines to the configuration file:

sudo echo """
[alt_names]
DNS.1 = example.org
DNS.2 = www.example.org""" >> /etc/ssl/openssl.cnf

Now you can create the certificate:

sudo mkdir /etc/ssl/local/
sudo openssl req -new -x509 -sha256 -newkey rsa:2048 -days 730 -nodes \
    -keyout /etc/ssl/private/example.org.key -out /etc/ssl/local/example.org.pem
sudo chmod 600 /etc/ssl/private/example.org.key

It’s important to enter the correct domain name for the FQDN (fully qualified domain name) and the “alt_names”-variable in the configuration file. Otherwise your client can’t connect later. The certificate is valid for two years.

You can view the details of the created certificate with the following command:

openssl x509 -text -noout -in /etc/ssl/local/example.org.pem

You may find some additional OpenSSL commands here, for example how to create a certificate signing request (csr).