Create a SSL Certificate (self-signed)

This little HowTo is based on Debian Wheezy but should work on other Linux instances as well. A quick and easy way to create a self-signed certificate you have to install the package ssl-cert. It provides OpenSSL with the correct user variables. Typically this package is already installed.

apt-get install ssl-cert

We want to configure the self-signed certificate for the server (e.g. apache2). As a location I recommend this one: /etc/ssl/www-default. To do so, run the following commands:

sudo mkdir /etc/ssl/www-default
cd /etc/ssl/www-default

First we should generate our private key. To remove the passphrase requirement remove the -des3 parameter. The passphrase must be entered wvery time you are using the key.
With the last number you can specify the key size encrypted with RSA. 4096 is okay for now, but you may consider the fact that technological progress can make this key length insecure.

openssl genrsa -des3 -out server.key 4096

Subsequent we should generate a Certificate Signing Request (.csr file). This file is often needed for submissions to certificate-authorities. These get signed by the CA and a certificate is returned. As we are creating a self-signed certificate  Running the command a list of fields, that need to be filled in, will be displayed. The most important field is the "Common Name". Enter your domain name or your site's IP address here. The other field should be filled with solid sense, because these fields may be displayed inside the certificate which the user can see.

openssl req -new -key server.key -out server.csr

You can check the validity of your csr file with the following command. There may be some online tools for checking your csr file in the web,

openssl req -noout -text -in server.csr

Now we want to create a new self-signed certificate. We can specify how long the certificate should remain valid. In order to do that you need to change the 365 to the number of days you prefer.

sudo openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

As output we get fresh cert file -  the signed, x509 certificate. Now we can go ahead and use this cert and key file for our server.