![\"Create](\"https:\/\/www.ssdnodes.com\/wp-content\/uploads\/2024\/07\/1-2.jpg\")
<\/p>\n
Why Create a Self-Signed Certificate on Ubuntu?<\/h2>\n
Once you create a self-signed certificate on Ubuntu, SSL\/TLS encryption will protect your data transfer and prevent sensitive data exposure, in addition to ensuring that the connection is between the correct entities by cryptographically verifying that you\u2019re connecting with an authentic server, and that the messages have not been interfered with while being transferred.<\/p>\n
Note:<\/strong> From now on we will refer to SSL\/TLS certificates as simply \"SSL certificates\" for brevity.<\/p>\n To create a self-signed certificate on Ubuntu, you'll need to use OpenSSL to generate a private key and a self-signed certificate, specifying the required details like the certificate's validity period and your organization's information. Next, you'll save the key and certificate files in a secure location, and then use it in your Apache or Nginx server configuration.<\/p>\n If generating a self-signed SSL certificate sounds daunting, we've got you covered. Our 1-Click VPS applications<\/a> (WordPress<\/a>, phpMyAdmin<\/a>, LAMP<\/a>, and LEMP<\/a>, and many others) come with a pre-installed self-signed SSL certificate. Just a few clicks and you're ready to go! Visit our website<\/a> to get started with the lowest-cost VPS offerings in the world (self-signed certificates included)!<\/p><\/blockquote>\n To create a self-signed certificate on Ubuntu, you will use OpenSSL to generate a certificate file that will store some basic information about your site, accompanied by an SSL private key file that will be kept secret in the server, and the server then will use it to securely handle encrypted data.<\/p>\n OpenSSL is a software library that provides tools for general-purpose cryptography and secure communications.<\/p>\n The private SSL key is used by the server to encrypt the content it sends to clients (e.g., web browser) The public SSL certificate is shared publicly with clients requesting the content. So when you request a page, the browser gets the SSL certificate from the server, and uses it to decrypt and access the content signed by the associated private SSL key.<\/p>\n The first step to obtaining an SSL certificate is using OpenSSL to create a certificate signing request (CSR). In normal cases, the CSR will be sent to the Certificate Authority (CA) which in turn will create a certificate based on it. In our case (self-signed certificate), we will create the certificate ourselves based on this CSR we generate using OpenSSL. The CSR contains the common name(s) you want your certificate to secure, information about your company, and your public key.<\/p>\n Note:<\/strong> In order for a CSR to be created, it needs to have a private key from which the public key is extracted. This can be done by using an existing private key or generating a new private key. It is strongly recommended to generate a new private key when creating a CSR instead of using an existing one.<\/p>\n To create a certificate signing request (CSR) and a private key with the Here is what each part of the preceding command means:<\/p>\n Now that you are familiar with the In our example, this means that the following files will be generated:<\/p>\n Now that you have your very own self-signed SSL certificate in the form of a CSR file, you can use it to encrypt your data and serve HTTPS requests. To do so, you need to configure your web server to use it. In this step, you\u2019ll learn how to configure and use your self-signed SSL certificate on the two most popular HTTP web servers: Apache, and Nginx.<\/p>\n In this section, you\u2019ll learn how to configure the Apache web server to use your self-signed SSL certificate.<\/p>\n First, open Apache\u2019s default configuration file:<\/p>\n By default, your Apache welcome page loads on port 80 without an SSL certificate.<\/p>\n Your Apache\u2019s default configuration will be similar to the following:<\/p>\n Replace the existing content with the following configuration, and make sure to set the correct values where needed (highlighted in yellow<\/mark> below):<\/p>\n Here you add two configurations, one for HTTP connections on port 80, and one for HTTPS on port 443.<\/p>\n In the HTTP configuration, you use the In the Apache SSL virtual host example configuration above, you set the Next, use the Next, test for configuration errors:<\/p>\n You should receive an output that contains the text Next, restart Apache:<\/p>\n Now visit your website\u2019s domain name or IP address using You should see an error telling you that the website is not secure. This means that the self-signed certificate is properly installed, but because the browser does not recognize your certificate as valid, you\u2019ll receive this error. As we\u2019ve mentioned earlier, this self-signed certificate is only for testing purposes and internal use, and not to secure your website for production, because your certificate is not signed by any of the browser\u2019s known certificate authorities. To install a certificate that browsers trust check out this article.<\/p>\n Now that you\u2019ve learned how to configure Apache to use a self-signed certificate, you\u2019ll see how to do the same with an Nginx server.<\/p>\n In this section, you\u2019ll learn how to configure the Nginx web server to use your self-signed SSL certificate.<\/p>\n First, open Nginx's default configuration file:<\/p>\n By default, your Nginx welcome page loads on port 80 without an SSL certificate. So, you would see something similar to the following configuration:<\/p>\n Replace the existing content with the following configuration, and make sure to set the correct values where needed (highlighted in yellow<\/mark> below):<\/p>\n Here, you have two server blocks<\/em> representing configuration for two ports: port Notice that, in the HTTP configuration, you use the In the HTTPS configuration, you set up Nginx to use SSL and set the path of the self-signed SSL certificate file and the SSL private key file you generated earlier. In the With the configuration file modified, check for syntax errors in it using the following command:<\/p>\n The output should let you know that the configuration file test is successful. Now visit your website\u2019s domain name or IP address using Again, you should see an error telling you that the website is not secure, as this self-signed certificate is only for testing purposes and internal use, and not to secure your website for production, because your certificate is not signed by any of the browser\u2019s known certificate authorities. Again, to install a certificate that browsers trust check out this article.<\/p>\n Before you verify that your self-signed SSL certificate works, please check the following:<\/p>\n On receiving the browser error that tells you that the connection is not secure, click the Advanced<\/strong> button or More information<\/strong> depending on the browser, and choose to proceed. The following is an example of the error in the Google Chrome browser:<\/p>\n <\/p>\n Once you proceed, your browser will load the Apache or Nginx welcome page, but with a noticeable danger icon and a Not Secure<\/strong> label at the beginning of your URL.<\/p>\n If you click the danger icon, the browser will inform you that the certificate is not valid:<\/p>\n Here is the Apache welcome page with a self-signed SSL certificate:<\/p>\n <\/p>\n In the pop-ups above, click on \u201cCertificate is not valid\u201d<\/strong> for more details on the self-signed certificate. (Note the 1-year duration, we\u2019ve declared using the Although this sounds like something has gone wrong, don't worry! This is how you verify that the self-signed certificate is successfully installed!<\/p>\n To avoid this error and install a trusted certificate check out this article<\/strong>.<\/p>\n Your website has become certified with a self-signed certificate, and you can now securely transfer data through HTTPS<\/a>, and protect your internal<\/em> traffic.<\/p>\n If generating a self-signed SSL certificate sounds too complex, we've got you covered. Our 1-Click VPS applications<\/a> (WordPress<\/a>, phpMyAdmin<\/a>, LAMP<\/a>, and LEMP<\/a>, and many others) come with a pre-installed self-signed SSL certificate. Just a few clicks and you're ready to go! Visit our website<\/a> to get started with the lowest-cost VPS offerings in the world (self-signed certificates included)!<\/p><\/blockquote>\n To renew a self-signed certificate, generate a new certificate with updated validity. For Apache or Nginx on Ubuntu, use OpenSSL to create a new key and certificate.<\/p>\n Update the configuration files of your web server to use the new certificate and restart the server to apply the changes.<\/p>\n To remove a self-signed certificate, delete the certificate and key files from your server, then\u00a0update your web server's configuration files to remove references to the deleted certificate and restart the server.<\/p>\n Firefox does not trust self-signed certificates by default because they are not issued by a recognized Certificate Authority (CA). To bypass this, you can manually add the self-signed certificate to Firefox's trusted certificates:<\/p>\n Self-signed certificates and CA (Certificate Authority) certificates both provide encryption for your website, but they differ significantly in terms of trust and validation.<\/p>\n Secure your Ubuntu 24.04 server with a self-signed SSL certificate for Apache or Nginx. Follow our guide to generate and configure SSL for encrypted traffic.<\/p>\n","protected":false},"author":15,"featured_media":10212,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"footnotes":""},"categories":[18,30],"tags":[202,200,201,185],"class_list":["post-9963","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-devops","category-tutorials","tag-ca-ssl","tag-https","tag-self-signed-ssl","tag-ubuntu"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.ssdnodes.com\/wp-json\/wp\/v2\/posts\/9963","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ssdnodes.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ssdnodes.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ssdnodes.com\/wp-json\/wp\/v2\/users\/15"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ssdnodes.com\/wp-json\/wp\/v2\/comments?post=9963"}],"version-history":[{"count":41,"href":"https:\/\/www.ssdnodes.com\/wp-json\/wp\/v2\/posts\/9963\/revisions"}],"predecessor-version":[{"id":12919,"href":"https:\/\/www.ssdnodes.com\/wp-json\/wp\/v2\/posts\/9963\/revisions\/12919"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.ssdnodes.com\/wp-json\/wp\/v2\/media\/10212"}],"wp:attachment":[{"href":"https:\/\/www.ssdnodes.com\/wp-json\/wp\/v2\/media?parent=9963"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ssdnodes.com\/wp-json\/wp\/v2\/categories?post=9963"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ssdnodes.com\/wp-json\/wp\/v2\/tags?post=9963"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}How to Create a Self-Signed Certificate on Ubuntu<\/h2>\n
(Special Offer) - Simplify Your SSL Setup with Our 1-Click VPS Applications<\/h3>\n
Step 1 - Using OpenSSL to Generate a Self-Signed Certificate<\/h2>\n
![\"Create](\"https:\/\/www.ssdnodes.com\/wp-content\/uploads\/2024\/07\/How-to-Create-a-Self-Signed-Certificate.png\")
<\/p>\nopenssl<\/code> library, you will use the openssl req<\/code> command with the following command structure:<\/p>\nopenssl req -x509 -newkey rsa:<rsa_value> -nodes -out <public certificate path> -keyout <private key path> -days <certificate duration in days> -subj \"C=<country code>\/O=<organization name>\/OU=<organizational unit>\/CN=<common name>\"<\/code><\/pre>\n\n
-x509<\/code>: A multi-purpose certificate utility. It can be used to display certificate information, convert certificates to various forms, sign certificate requests like a \"mini CA\" or edit certificate trust settings.<\/li>\n-newkey<\/code>: Specifies that a new private key should be created with the certificate request.<\/li>\n-rsa:<\/code>: The encryption algorithm you\u2019ll use to generate your key. While you can use other encryption algorithms if you want, RSA is one of the best encryption systems that you can use to protect your data in transmission, especially because it comes with great compatibility. <rsa_value><\/code>\u00a0represents the key size in bits.<\/li>\n-nodes<\/code>: is not the English word \"nodes\", it refers, instead, to \"no DES\". When given as an argument, it means OpenSSL will not encrypt the private key in a PKCS#12 file, and the private key will not have a passphrase. This is important for the web server to have access to the certificate file without needing a passphrase. Otherwise the server would wait for the user to manually enter the passphrase every time the server restarts, which is not convenient.<\/li>\n-out<\/code>: defines the path the public key will be generated to, including the filename.<\/li>\n-keyout<\/code>: defines the path the private key will be generated to, including the filename.<\/li>\n-days<\/code>: The certificate\u2019s lifetime in days.<\/li>\n-subj<\/code>: is used to provide all the necessary information within the command itself, instead of having to provide each required piece of information via command line prompts.\n\n
C<\/code> defines the two-letter country code where your company is legally located.<\/li>\nO<\/code> defines the organization\u2019s name.<\/li>\nOU<\/code> defines the organizational unit name, which can be the name of your department within the organization.<\/li>\nCN<\/code> is the common name, where you either enter the fully-qualified domain name (FQDN) you\u2019ll use to access the server by (e.g., www.example.com), or the public IP of the server.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\nopenssl<\/code> command options and actions, you can form and execute an openssl<\/code> command to generate a certificate signing request (CSR) as follows:<\/p>\nsudo openssl req -x509 -newkey rsa:4096 -nodes -out \/etc\/ssl\/certs\/ssl-selfsigned.pem -keyout \/etc\/ssl\/private\/ssl-selfsigned.key -days 365 -subj \"\/C=US\/O=MyCompany\/OU=Technical Department\/CN=www.example.com\"<\/code><\/pre>\n![\"OpenSSL](\"https:\/\/www.ssdnodes.com\/wp-content\/uploads\/2024\/06\/openssl-output.webp\")
\nThis command will generate two files automatically created under the respective subdirectories you\u2019ve declared:<\/p>\n\n
\/etc\/ssl\/private\/<\/code>: will be the location of the SSL private key file.<\/li>\n\/etc\/ssl\/certs\/<\/code>: will be the location of your CSR file.<\/li>\n<\/ul>\n\n
\/etc\/ssl\/private\/ssl-selfsigned.key<\/code>: your SSL private key file.<\/li>\n\/etc\/ssl\/certs\/ssl-selfsigned.pem<\/code>: your CSR file, which you can use as a self-signed certificate.<\/li>\n<\/ul>\nStep 2 - Configuring Apache and Nginx to Use a Self-Signed Certificate<\/h2>\n
Creating a Self-Signed SSL Certificate For Apache on Ubuntu<\/h3>\n
![\"Self-Signed](\"https:\/\/www.ssdnodes.com\/wp-content\/uploads\/2024\/07\/3-1.jpg\")
<\/p>\nsudo nano \/etc\/apache2\/sites-enabled\/000-default.conf<\/code><\/pre>\n<VirtualHost *:80>\r\n Define servername www.example.com<\/mark>\r\n ServerName ${SERVERNAME}\r\n ServerAdmin webmaster@localhost\r\n DocumentRoot \/var\/www\/html\r\n<\/VirtualHost><\/code><\/pre>\n<VirtualHost *:80>\r\n Define servername www.example.com<\/mark>\r\n ServerName ${SERVERNAME}\r\n RewriteEngine on\r\n RewriteRule ^\/.*$ https:\/\/\\${SERVERNAME}%{SCRIPT_FILENAME}?%{QUERY_STRING} [R=301]\r\n ErrorLog ${APACHE_LOG_DIR}\/error.log\r\n CustomLog ${APACHE_LOG_DIR}\/access.log combined\r\n<\/VirtualHost>\r\n<VirtualHost *:443>\r\n SSLEngine On\r\n SSLCertificateFile \/etc\/ssl\/certs\/ssl-selfsigned.pem<\/mark>\r\n SSLCertificateKeyFile \/etc\/ssl\/private\/ssl-selfsigned.key<\/mark>\r\n ServerName ${SERVERNAME}\r\n DocumentRoot \/var\/www\/html\r\n ErrorLog ${APACHE_LOG_DIR}\/error.log\r\n CustomLog ${APACHE_LOG_DIR}\/access.log combined\r\n<\/VirtualHost><\/code><\/pre>\nRewriteEngine<\/code> and RewriteRule<\/code> to redirect HTTP requests to HTTPS. And you also set locations for log files.<\/p>\nSSLEngine<\/code> directive to On<\/code> to enable the SSL\/TLS Protocol Engine. You set the paths of the self-signed SSL certificate and the SSL private key files you generated earlier. You declare the server name, and the document root directory that holds the files Apache serves. And you also set locations for log files.<\/p>\na2enmod<\/code> tool to enable the SSL<\/code> and the RewriteEngine<\/code> Apache modules. This allows Apache to use SSL\/TLS encryption, and the RewriteEngine<\/code> feature to rewrite requested URLs and redirect users from HTTP to HTTPS:<\/p>\nsudo a2enmod ssl rewrite<\/code><\/pre>\nsudo apache2ctl configtest<\/code><\/pre>\nSyntax OK<\/code>, which means you can safely reload Apache, otherwise, you will get a very specific description pointing out the error you have to fix.<\/p>\nsudo systemctl restart apache2\r\n<\/code><\/pre>\nhttps:\/\/<\/code> at the beginning:<\/p>\nhttps:\/\/domain_name_or_IP<\/code><\/pre>\nCreating a Self-Signed SSL Certificate For Nginx on Ubuntu<\/h3>\n
![\"configuring](\"https:\/\/www.ssdnodes.com\/wp-content\/uploads\/2024\/07\/4.jpg\")
<\/p>\nsudo nano \/etc\/nginx\/sites-enabled\/default<\/code><\/pre>\nserver {\r\n listen 80;\r\n listen [::]:80;\r\n root \/var\/www\/html;\r\n\r\n index index.html index.htm index.nginx-debian.html;\r\n\r\n server_name www.example.com;<\/mark>\r\n location \/ {\r\n try_files $uri $uri\/ =404;\r\n }\r\n}<\/code><\/pre>\nserver {\r\n listen 80;\r\n listen [::]:80;\r\n server_name www.example.com<\/mark>;\r\n access_log off;\r\n location \/ {\r\n rewrite ^ https:\/\/$host$request_uri? permanent;\r\n }\r\n}\r\n\r\nserver {\r\n listen 443 ssl;\r\n listen [::]:443 ssl;\r\n server_name www.example.com<\/mark>;\r\n root \/var\/www\/html<\/mark>;\r\n index index.php index.html index.htm index.nginx-debian.html;\r\n autoindex off;\r\n ssl_certificate \/etc\/ssl\/certs\/ssl-selfsigned.pem<\/mark>;\r\n ssl_certificate_key \/etc\/ssl\/private\/ssl-selfsigned.key<\/mark>;\r\n ssl_protocols TLSv1 TLSv1.1 TLSv1.2;\r\n ssl_ciphers HIGH:!aNULL:!MD5;\r\n\r\n location ~ \\.php$ {\r\n include snippets\/fastcgi-php.conf;\r\n fastcgi_pass unix:\/var\/run\/php\/php-fpm.sock;\r\n fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;\r\n include fastcgi_params;\r\n }\r\n}<\/code><\/pre>\n80<\/code> which serves HTTP requests, and port 443<\/code> that serves HTTPS requests.<\/p>\nrewrite<\/code> directive in the location<\/code> block to redirect HTTP requests to HTTPS.<\/p>\n location ~ \\.php$<\/code>, you set up Nginx to process PHP files with the php-fpm<\/code> package.<\/p>\nsudo nginx -t<\/code><\/pre>\n
\nNow, restart Nginx:<\/p>\nsudo systemctl restart nginx<\/code><\/pre>\nhttps:\/\/<\/code> at the beginning:<\/p>\nhttps:\/\/domain_name_or_IP<\/code><\/pre>\n![\"verifying](\"https:\/\/www.ssdnodes.com\/wp-content\/uploads\/2024\/07\/How-to-Create-a-Self-Signed-Certificate-1.png\")
<\/p>\nStep 3 - Verify That Your Self-Signed SSL Certificate Works<\/h2>\n
\n
ServerName<\/code> directive, and in Nginx, it\u2019s the server_name<\/code> directive.<\/li>\nDocumentRoot<\/code> directive in Apache, and the root<\/code> directive in Nginx.<\/li>\nhttp:\/\/<\/code>and you\u2019ll notice that you will be automatically redirected to a URL beginning with https:\/\/<\/code>.<\/li>\nhttps:\/\/<\/code> to the URL, you would get an error, explaining that your website is not secure as mentioned above. This means that the browser can\u2019t verify the identity of the server, since the certificate is not signed by any of its known certificate authorities. However, this is completely normal for a self-signed certificate and actually means that your SSL configuration is successful<\/em>.<\/li>\n<\/ul>\n![\"Create](\"https:\/\/www.ssdnodes.com\/wp-content\/uploads\/2024\/06\/Privacy-Error-1024x470.png\")
<\/p>\n![\"Create](\"https:\/\/www.ssdnodes.com\/wp-content\/uploads\/2024\/06\/Proceed.webp\")
<\/p>\nA Self-Signed SSL Certificate with Apache (Example)<\/h3>\n
![\"ubuntu](\"https:\/\/www.ssdnodes.com\/wp-content\/uploads\/2024\/06\/Info-0.png\")
<\/p>\n![\"Apache](\"https:\/\/www.ssdnodes.com\/wp-content\/uploads\/2024\/06\/Welcome.webp\")
<\/p>\nA Self-Signed SSL Certificate with Nginx (Example)<\/h3>\n
![\"](\"https:\/\/www.ssdnodes.com\/wp-content\/uploads\/2022\/06\/Securing-your-site-with-Self-Signed-or-CA-certificates_06-e1656578767657.png\")
<\/p>\ndays<\/code> value on the certificate\u2019s creation).<\/p>\n![\"self-signed](\"https:\/\/www.ssdnodes.com\/wp-content\/uploads\/2024\/06\/InfoFull.webp\")
<\/p>\nCongrats!<\/h2>\n
Facing Difficulties? - Simplify Your SSL Setup with Our 1-Click VPS Applications<\/h3>\n
FAQ: Creating a Self-Signed Certificate on Ubuntu for Apache and Nginx<\/h2>\n
How to Renew a Self-Signed Certificate?<\/h3>\n
How to Remove a Self-Signed Certificate?<\/h3>\n
Firefox: The Certificate is Not Trusted Because it is Self-Signed<\/h3>\n
\n
Self-Signed vs CA Certificates<\/h3>\n
Self-Signed Certificates:<\/h4>\n
\n
CA Certificates:<\/h4>\n
\n