This article describes briefly, how to create a valid, self signed SSL certificate, which for example is required by web servers. Tested under Debian Wheezy.
To create the certificate you must perform some changes at the OpenSSL config file first:
sudo vim /etc/ssl/openssl.cnf [...] [ CA_default ] [...] # Extension copying option: use with caution. copy_extensions = copy [...] [ v3_ca ] [...] # Include email address in subject alt name: another PKIX recommendation # subjectAltName=email:copy subjectAltName = @alt_names [...]
Then add the following lines to the configuration file:
sudo echo """ [alt_names] DNS.1 = example.org DNS.2 = www.example.org""" >> /etc/ssl/openssl.cnf
Now you can create the certificate:
sudo mkdir /etc/ssl/local/ sudo openssl req -new -x509 -sha256 -newkey rsa:2048 -days 730 -nodes \ -keyout /etc/ssl/private/example.org.key -out /etc/ssl/local/example.org.pem sudo chmod 600 /etc/ssl/private/example.org.key
It’s important to enter the correct domain name for the FQDN (fully qualified domain name) and the “alt_names”-variable in the configuration file. Otherwise your client can’t connect later. The certificate is valid for two years.
You can view the details of the created certificate with the following command:
openssl x509 -text -noout -in /etc/ssl/local/example.org.pem
You may find some additional OpenSSL commands here, for example how to create a certificate signing request (csr).