Generate your own free SSL certificate in Ubuntu

For my Passbook project I wanted it to work over a secure connection, however I did not want to pay the $50 to $500 per year that I would've needed to pay for a single site or wild card certificate. Therefore I decided to create my own.

Please note that before following this guide you need to know self signed certificates will cause error like messages to be shown to your website visitors because the browser cannot identify the certificate issuer (you). Also, while I did this on my Ubuntu server most of the commands will work as long as you have OpenSSL installed.

For this example I will generate a wild card certificate for my site: 24 Hour Apps; therefore all certificate related file names will be 24ha.

The first step to create a home for your certificate files; I did this in my root home directory. Then generate your RSA private key. The commands achieve this are:

mkdir ssl
cd ssl
openssl genrsa -des3 -out 24ha.key 1024

You will be asked a few questions. Fill them out as accurately as you can. You will also need to set a password for your private key. Please remember this as you will need to later on.

The next step is to generate your own certificate signing request. You can do this with:

openssl req -new -key 24ha.key -out 24ha.csr
You will be prompted to enter the password you typed before for your private key. Enter it and create your CSR.

The following step is optional and removes the password from your private key so that when you launch Apache with mod_ssl you do not get requested to type in a password. For servers with monitoring software that automatically restarts processes this is quite handy. The code for removing the password is:

cp 24ha.key 24ha.key.original
openssl rsa -in 24ha.key.original -out 24ha.key

Please note that your original key still exists and is now called 24ha.key.original.

We can now generate our SSL certificate with the command:

openssl x509 -req -days 365 -in 24ha.csr -signkey 24ha.key -out 24ha.crt
You will be promoted to answer more questions. The most important answer you give will be to the question "Common Name (e.g., YOUR name)", you need to enter your website address ie. or for wild card entries *

Now that we have our certificate we need to make it available to Apache. This part of the guide becomes more Ubuntu specific as other Linux distributions will have their Apache files located elsewhere. However, to give Apache access the first step is to copy the SSL files over and enable mode SSL. To do so type:

cd /etc/apache2/
mkdir ssl
cp ~/ssl/24ha.key .
cp ~/ssl/24ha.crt .
a2enmod ssl

Now we need to enter a virtual host entry for our SSL enabled domain. The following is an entry I have in the file /etc/apache2/sites-available/

SSLEngine On
SSLCertificateFile /etc/apache2/ssl/24ha.crt
SSLCertificateKeyFile /etc/apache2/ssl/24ha.key
DocumentRoot /home/passbook/www/

<Directory /home/passbook/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all

Once you have created your virtual host entry restart Apache (using /etc/init.d/apache2 restart) and test your new secure site. For my example this is

If all went well you should see the Firefox's, or whatever browser you are using, message saying the secure connection has failed due to an unknown issuer. You will need to add an exception for the certificate before viewing the secure page. Adding the except is a 3 or 4 click process that is not very intuitive. However once it is done you can have cheap secure connections between your server and your web browser.


Bernardo said...

I think you are missing a command:

cd ssl

after the command

mkdir ssl

Otherwise, a quick and easy how-to - thanks!

roneiy said...

Hello Buddy,
I really liked your blog content, and i am big fan of internet business security.
I's just passing away from your blog and thought let me share you a great opportunity which i found couple of days before in a forum network.

Are you willing to attend a free seminar to get free ssl certificate?
If yes than click below, i know that you must like it.

Post a Comment