WARNING: These instructions are old, this Digital Ocean tutorial is recommended instead: https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-apache-in-ubuntu-20-04

Installing

Prerequisites

In order to create your own SSL certificate, you'll need OpenSSL installed on your machine.

Creating a Certificate Authority

Typically, a company will pay hundreds or thousands of dollars to a Certificate Authority, and in return that company's website will be granted an "official" signed SSL Certificate.

A signed SSL Certificate means the SSL Certificate is trusted by an authority. This makes it possible to make secure connections between a user and a server.

To create a self-signed certificate, we will create our OWN certificate authority, and sign our own certificate using that certificate authority.

To create a new CA:

$ /usr/local/ssl/misc/CA.pl -newca

If you want to go back and change information about the key (e.g. you wanted to change the number of days it will be valid), you can run:

$ openssl x509 -in demoCA/cacert.pem -days 1024 -out cacert.pem -signkey demoCA/private/cakey.pem
$ cp cacert.pem demoCA

Generating the Server Certificate

This creates a certificate for your server, which is signed by the CA authority (normally someone like Verisign, but in this case YOU).

The "-nodes" option prevents the pass phase from being required at each reboot.

$ openssl req -new -nodes \
  -subj '/CN=mydomain.com/O=Blah blah blah/C=US/ST=State/L=Place/emailAddress=username@somewhere.com' \
  -keyout FOO-key.pem -out FOO-req.pem -days 3650

Note above that "/0=Blah blah blah" must match the name given in the the origional CA. For example, "/0=blahblahblah." will not work. It must be exact.

Signing the Server Certificate

Once you've created the server certificate, it's time to sign it using the certificate authority power, which we granted ourselves.

$ openssl ca -out FOO-cert.pem -infiles FOO-req.pem