Making Self-Signed Digital Certificates
The need for TLS/SSL certificates may arise when developing server projects that need encryption, like the Apache web server on Debian-based or Red Hat-based Linux distributions, on the FreeBSD operating system, and the Home Assistant home automation system.
The following procedure shows how to create and install self-signed certificates, if acquiring them from a Certificate Authority (CA) is either too expensive or too complicated. It is important to keep in mind, however, that self-signing may be deemed UNTRUSTWORTHY in a production environment.
1. Create the certificate and key.
1.1. [OPTION A] One-step process, skipping the Certificate Signing Request (CSR).
user@host: $ openssl req -new -x509 -days 36500 -nodes -keyout server.key -out server.crt
1.2. [OPTION B] Separate CSR for submission to CAs, if planning to legitimize later on.
1.2.1. Generate keys for the CSR.
user@host: $ openssl genrsa -des3 -out server.key 2048
1.2.2. Generate the CSR.
user@host: $ openssl req -new -key server.key -out server.csr
1.2.3. Generate the certificate.
user@host: $ openssl x509 -req -days 36500 -in server.csr -signkey server.key -out server.crt
2. Install the certificate and key.
2.1.1. Debian-based distributions
user@host: $ sudo cp server.crt /etc/ssl/certs
user@host: $ sudo cp server.key /etc/ssl/private
2.1.2. Red Hat-based distributions
user@host: $ sudo cp server.crt /etc/pki/tls/certs
user@host: $ sudo cp server.key /etc/pki/tls/private
2.2.1. Log in to "root". Regular users must be part of the "wheel" group in order to do this.
user@host: $ su
/* Instead of "su -", use "su" to remain in the current working directory. */
2.2.2. Copy the files to their corresponding OpenSSL directories.
root@host: # cp server.crt /usr/local/etc/apache24
root@host: # cp server.key /usr/local/etc/apache24
2.2.3. Log out from "root".
root@host: # exit