Following is a step-by-step guide to creating your own CA (Certificate Authority) -- and also
self-signed SSL server certificates -- with openssl on Linux. Self-signing is the simpler route
to take, but making one's own CA allows the signing of multiple server certificates using the same CA
and involves only a few extra steps.
After using openssl to generate the necessary files, you'll need to integrate them into Apache. This
process differs between Linux distros and versions of Apache. Additional references exist at the end of this
document. My instructions for
Setting up SSL: Ubuntu and Apache 2 are kept
most current, and will carry you through to completion.
Making a homemade CA or self-signed certificate will cause the client web browser to prompt with a
message whether to trust the certificate signing authority (yourself) permanently
(store it in the browser), temporarily for that session, or to reject it. The message
"web site certified by an unknown authority... accept?" may be a business liability for
general public usage, although it's simple enough for the client to accept the certificate
permanently.
Whichever route you take, you'll save the periodic expense of paying a recognized signing authority.
This is purely for name recognition -- they've paid the major browser producers to have their
CA pre-loaded into them. So if you're on a budget, have a special need or small audience, this may
be useful.
openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt