Let's start with "What is an SSL Certificate?"
SSL stands for Secure Socket Layer. SSL is a global standard technology that creates encrypted communication between web browsers and web servers. It helps to decrease the risk of losing your personal information (e.g passwords, emails, credit card numbers etc.).
To create this secure connection an SSL Certificate is used, which is installed on the web server. So, an SSL Certificate is a bit of code on your web server that provides security for your online communications. SSL certificates also contain identification information (i.e your organizational information).
SSL Certificates mainly serve two functions:
- Authenticates the identity of the servers (so that users know that they are not sending their information to the wrong server).
- Encrypts the data that is being transmitted.
Now, securing your application with an SSL certificate is extremely important. In most situations, we require a trusted certificate (generated by CA-Certification Authority), but there are many cases where you can use a self-signed certificate.
So, the next question comes is, "when to use a self-signed certificate?"
A self-signed certificate is a certificate that is signed by its own creator rather than a trusted authority. Self-signed certificates are less trustworthy since any attacker can create a self-signed certificate and launch a man in the middle attack.
Self-signed certificates can be used at places like:
- Personal sites with few visitors.
- During the development or testing phase of your application, you can use a self-signed certificate.
Never use a self signed certificate on applications that transfers valuable information like credit card numbers, bank account numbers, etc.
When using a self-signed certificate, visitors will see the following warning in their browser until the user permanently stores the certificate in their certificate store.
So, that's SSL certificates. Now let's see how to create one using OpenSSL.
Creating a Self-Signed Certificate Using OpenSSL
OpenSSL is a command line tool that is used for TLS (Transport Layer Security) and SSL (Secure Socket Layer) protocols.
Now let's create the certificate:
- Open your terminal (Linux).
- Run the following commands:
- openssl genrsa -des3 -out server.key 2048
- openssl req -new -key server.key -out server.csr
- openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
The first command will generate a 2048 bit (recommended) RSA private key. After running the command it will ask for the passphrase. If you want to create a key without the passphrase you can remove the (-des3) from the command.
The second command generates a CSR (Certificate Signing Request). The CA will use the .csr file and issue the certificate, but in your case, you can use this .csr file to create your self-signed certificate. Once you run the command, it will prompt you to enter your country, company name, etc.
If you want to configure your certificate for localhost you can give 'localhost' in the Common Name field instead of the domain name.
The third command will create the self-signed x509 certificate suitable for use on a web server.
So this is how you can create a self-signed certificated. In my next blog, I will be explaining KeyStore generation in PKCS12 Format.
Enjoy ! :)
Further reading on DZone: