SSL is a secure protocol that establishes an encrypted communication channel between web servers and browsers. Its primary purpose is to prevent sensitive information from being exposed to or stolen by identity thieves or hackers. These can cost a pretty penny to have made signed for you by an SSL company. You don’t want to spend money doing this on your little test website, but you don’t want that website to be compromised either. Whatever can you do?
Is it possible to generate your own domain’s SSL certificate? You can! And it’s quite easy to do as well. In today’s post, I’ll show you how.
But let me first put it out there: It’s a VERY BAD IDEA if you intend to make your domain publicly available. Google doesn’t like self-signed certificates, neither do a few virus scanners and they’ll warn visitors to your site not to trust your certificate (judging you before they even know you). It can also affect your SEO ranking, or how easily someone on the public internet can see your website if they do a search for it. So if your website is going to be a public website that you want to become popular, do it the way Google wants you to do it. And what they want is for you to get a reputable company to sign the SSL certificate for you (also make sure said certificate covers your subdomains, this article has more information on what subdomains are as well as info on other points discussed above https://victoriousseo.com/blog/seo-subdomain-vs-subdirectory/).
Ahh, the air’s more breathable now that the elephant’s out of the room! You’re still here? Good. Let’s proceed!
Let’s say you do need a self-signed SSL certificate for one of your domains and its subdomains, and you don’t feel like typing more than two commands. You’re in luck! First and foremost, find a cosy (and preferably organized) place for your certificates to live. I personally like to stick them in /data/ssl/certs/[domain]/[subdomain]/, but to each their own.
openssl req -new -nodes -keyout domain.key -out domain.csr
This command generates both a domain server key and a certficate signing request, which you’ll need to generate your crt file in command #2.
It will ask you a bunch of questions. The important one is the “Common Name”, as it is the one that needs to match your domain.
For example, I setup a certificate for https://www.quotir.com, so I set the common name to “www.quotir.com” hmmkay?
openssl x509 -req -days 365 -in domain.csr -signkey domain.key -out domain.crt
There you have it, your domain certificate will be valid for a year!
As a bonus, here’s how I setup nginx to redirect all https traffic to http, using my shiny new self-signed SSL cert:
rewrite ^(.*) http://www.quotir.com$1 permanent;
And that’s about it. Having a self-signed SSL is a great way to test out your own websites or to secure websites you have no intention of letting loose on the wild web. Happy Sysadmining friends and don’t be shy, say hello!