Differences

This shows you the differences between two versions of the page.

--- ubuntu:certificates:create_a_self-signed_certificate [2023/06/09 16:20] – peter
+++ ubuntu:certificates:create_a_self-signed_certificate [2023/06/09 16:26] (current) – peter
@@ Line 1: / Line 1: @@
 ====== Ubuntu - Certificates - Create a self-signed certificate ======
+A self-signed certificate made in this way is sufficient for testing, but should not be used in a production environment.
+<WRAP info>
+**NOTE:**
+  * Many clients require that the certificate presented by the server be a user (also called “leaf” or “site”) certificate, and not a self-signed certificate.
+    * In this situation, the self-signed certificate must be installed on the client host as a trusted root certification authority (CA), and the certificate used must be a user certificate signed with that self-signed certificate.
+  * For information on creating self-signed CA certificates and using them to sign user certificates, see the General implementation overview chapter of the Open-source PKI book, available online at http://ospkibook.sourceforge.net/.
+</WRAP>
+----
 ===== Prerequisites =====
@@ Line 26: / Line 41: @@
 <code bash>
 openssl req -x509 -newkey rsa:2048 -keyout file1.key -out file2.crt -days 9999 -nodes
+</code>
+or
+<code bash>
+openssl req -new -x509 -days 9999 -nodes -out file1.pem -keyout file2.key
 </code>
 <WRAP info>
-**NOTE:**  Here, we named our certificate and key "file1" and "file2", but when you have multiple certificates, they will require different names, or, should reside in different sub-directories of **/etc/ssl**.
+**NOTE:**  Here, we name our certificate and key "file1" and "file2", but when you have multiple certificates, they will require different names, or, should reside in different sub-directories of **/etc/ssl**.
   * You could, in **/etc/ssl/localcerts**, have several certificates and name them according to domain (i.e. somesite.com.pem and somesite.com.key, othersite.net.pem and othersite.net.key, etc.).
@@ Line 87: / Line 108: @@
 </WRAP>
-<WRAP info>
-**NOTE:**  A self-signed certificate made in this way is sufficient for testing, and may be adequate for all your requirements if you are mainly interested in encrypting transfers, and not in secure identification.
-  * However, many clients require that the certificate presented by the server be a user (also called “leaf” or “site”) certificate, and not a self-signed certificate.
-  * In this situation, the self-signed certificate described above must be installed on the client host as a trusted root certification authority (CA), and the certificate used by Exim must be a user certificate signed with that self-signed certificate.
-  * For information on creating self-signed CA certificates and using them to sign user certificates, see the General implementation overview chapter of the Open-source PKI book, available online at http://ospkibook.sourceforge.net/.
-</WRAP>
 ----
@@ Line 118: / Line 131: @@
   -out test.crt \
   -subj '/C=PL/ST=example/O=ShareWiz/OU=test/CN=test'
+</code>
+----
+===== Set Permissions for the certificate files =====
+<code bash>
+chmod 600 file1*
+chmod 600 file2*
 </code>
@@ Line 124: / Line 147: @@
 ===== References =====
-http://ospkibook.sourceforge.net/
+https://wiki.debian.org/Self-Signed_Certificate
+http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#aboutcerts
+http://nginx.org/en/docs/http/configuring_https_servers.html
+http://ospkibook.sourceforge.net/