I'm not a security guru, but I'm writing this as a personal note. Normally, I'll have to pay some company to have my SSL certificate digitally signed for commercial uses. That's because people and businesses won't acknowledge or recognize my SSL certificate in transactions unless it is signed by a reputable company. However, I can create SSL certificates myself for personal / intranet use.
On Debian and Ubuntu systems, after the ssl-cert package is installed, a SSL certificate is automatically created at /etc/ssl/certs/ssl-cert-snakeoil.pem, and the corresponding key is created at /etc/ssl/private/ssl-cert-snakeoil.key. You can just distribute ssl-cert-snakeoil.pem to other peer machines to set up SSL connections. To manually create your own SSL certificates, follow these steps. In this guide, we will use the arbitrary filenames: my-site.key, my-site.crt and my-site.pem.
- Generate a public/private key pair:
openssl genrsa -out my-site.key 1024
- Generate a self signed certificate:
openssl req -new -key my-site.key -x509 -days 3653 -out my-site.crt
- Generate the PEM file by just appending the key and certificate files:
cat my-site.key my-site.crt > my-site.pem
- The private key should be kept secret, so change the file permission.
chmod 600 my-site.key my-site.pem
You can distribute the trust certificate server.crt to your SSL client hosts that will connect securely to the SSL-enabled server. The server may need *.crt files from clients for proper client authentication.
No comments:
Post a Comment