|Web Server Management: Securing Access to Web Servers|
|Prev||Chapter 3. Creating keys and certificates||Next|
The cost and administrative hassle of arranging to have a CSR signed by a real CA are clearly not worthwhile if all you want to do is to experiment with using HTTPS. For this sort of application it is possible to create a "self signed" certificate in which, in effect, you assert your own identity. Such a certificate will not be trusted by browsers, and they will typically display warning messages when a site protected by such a certificate is accessed.
In addition to displaying a warning message, Internet Explorer 7 turns the browser address bar red when accessing such a site.
Encouraging general web site visitors to accept such
warnings is extremely dangerous, since doing so undermines much
of the security that TLS provides. However, self-signed
certificates have their place, and one can be created by adding
-x509 option to an openssl
$ openssl req -new -newkey rsa:2048 -x509 -keyout self.key -out self.crt Generating a 2048 bit RSA private key ............................................................++++++ ..............................................++++++ writing new private key to 'self.key' Enter PEM pass phrase: password Verifying - Enter PEM pass phrase:password ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:GB State or Province Name (full name) [Some-State]:England Locality Name (eg, city) :Cambridge Organization Name (eg, company) [Internet Widgits Pty Ltd]:University of Cambridge Organizational Unit Name (eg, section) :Computing Service Common Name (eg, your name or your server's hostname) : clt1.csi.cam.ac.uk Email Address :email@example.com
used when creating a new CSR, rather than processing an existing one
specification of the key to generate
output a self-signed X509 certificate, rather than a CSR
name of the file to receive the certificate
name of the file to receive the key