Self Signed SSL Certificates
March 16th, 2009 Posted in SecurityI’ve been trying to figure out how to get an SSL certificate on the cheap. I mean, 300+ dollars per year is a little ridiculous to get an encrypted pipe between client and server. You see, I don’t really care if my identity is confirmed. I know what server I’m connecting to (that is, unless you hack me because I just told you that).
Anyway, there is an open source project called (go figure) OpenSSL. OpenSSL is an SSL toolkit – that happens to be free for commercial and non-commercial uses. While they offer a self signing feature, it’s not generally recommended for production applications (you’ve been warned). For me, however, it works perfectly. And there’s even a version for Windows. Now, the cool thing about this is it will create a private key in a variety of encryption protocols, it will create your certificate request (if you’re well-to-do and can afford a real one), and it will even create a “test” certificate (which is what I wanted).
So, I downloaded the 64-bit version for Windows. When you’re done (use the defaults – they work just fine), open a command prompt, browse to your OpenSSL installation folder (C:\OpenSSL be default) and type:
openssl
You’ll be at a prompt that looks like “OpenSSL>”. Once you’re here, you’re ready to create your private key and your certificate. In my case, the following command works perfectly. It creates a private key and a certificate all at once. If you’re going to buy a certificate, you’ll need to Google the procedure for creating a private key and a certificate request, then do whatever you need to do to install the certificate from that company into your program(s) that require it. But, I digress – the command:
OpenSSL> req -new -newkey rsa:1024 -days [DAYS] -nodes -x509 -keyout www.example.com.pem -out www.example.com.pem
You’ll need to follow the following prompts (asking for your country, name, email, etc.). The above command will create a 1024-bit RSA private key, then create a certificate (I think it does the certificate request in the background). The certificate will expire in the number of days you set via the [DAYS] variable. The -keyout tells OpenSSL to export your private key to a file called “www.example.com.pem” and the -out switch tells it to export your certificate to “www.example.com.pem.” Now, I’ll state the obvious and recommend that you change the file names (ie, examplekey.com.pem and examplecert.com.pem). The key and certificate are both created in the same folder (C:\OpenSSL by default).
Now, the one caveat I will offer is this: this self-signed certificate is not trusted by anyone. Internet Explorer, Firefox, Outlook, Safari, etc. will all reject this certificate as “identity unknown.” For me, that’s okay. For someone else, think about it first. You can get around the constant “this certificate is not valid” prompts by adding the certificate to the Trusted Root Certification Authorities in Windows’s Certificates Manager.
Now you know.