Creating Self Signed Certificates

Have you ever created a self-signed certificate and then seen the following errors in the apache error log?

1
[warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)

Well this is likely because you are using a certificate that is used to sign other certificates as your SSL cert rather than using a cert that is just for SSL. The remainder of this document will walk you through the correct steps to generating a self-signed certificate. This guidance is based on the instructions provided by Heroku.

The openssl library is required to generate your own certificate. Run the following command in your local environment to see if you already have openssl installed installed.

1
2
$ which openssl
/usr/bin/openssl

 

If you have openssl installed, the first step is to generate a private key and certificate signing request.

1
2
3
4
5
6
7
8
9
10
// Generation of RSA Private Key
$ sudo openssl genrsa -des3 -passout pass:x -out server.pass.key 2048
// Removes password from RSA private key
$ sudo openssl rsa -passin pass:x -in server.pass.key -out server.key
// Remove the original private key
$ sudo rm server.pass.key
// Certificate Signing Request
$ sudo openssl req -subj /C=US/ST=Virginia/L=Alexandria/O=IT/CN=www.openfisma.org -new -key server.key -out server.csr
// Self-signed certificate generated from server.key private key and server.csr
$ sudo openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

By Apache, SSL, System Administration