Creating a Self-Signed SSL Certificate on Ubuntu

SSL certificates are very cheap these days. If fact, certain Certificate Authorities will issue you a SSL certificate for free. You just have to fill out the application form.

There are, however, certain cases where you want to quickly issue a self-signed certificate. For instance, when you are testing a server, or running your own personal e-mail server. If that situation applies to you, read on.

Ubuntu comes pre-installed with a package called ssl-cert, which creates a private key and self-signed certificate in these locations:

/etc/ssl/private/ssl-cert-snakeoil.key
/etc/ssl/certs/ssl-cert-snakeoil.pem

So, if you are just looking for a self-signed certificate, you don't need to do anything else! But, if that's still not enough for you, read on.

To create your own, custom SSL certificate you have to use OpenSSL, which typically comes pre-installed on Ubuntu. You can verify with:

$ openssl version
OpenSSL 1.0.1f 6 Jan 2014

Running this command will generate a private key, and a self-signed certificate valid for 365 days:

$  openssl req -x509 -days 365 -newkey rsa:2048 -nodes -keyout personal.key -out personal.pem
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:California
Locality Name (eg, city) []:San Francisco
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example Inc
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:www.example.com
Email Address []:admin@example.com

The generated private key is not encrypted, so make sure that only root has read access:

$ chown root:root personal.key && chmod 640 personal.key

That's it! You can now copy personal.key and personal.pem to /etc/ssl/private/ and /etc/ssl/certs/ respectively, and use them in your configuration files.