Self-signed SSL certificate HOWTO

logo_sslSSL is used for (1) encrypting HTTP traffic and for (2) authentication server against browser's database of trusted certificates. Generating SSL certificate properly is important if you want your customer to use https properly. It costs few bugs per year, but your customers won't have any warnings in browser before SSL session (purpose number 2).

However, for internal applications, self-signed certificate may be a sufficient solution (purpose 1 only). You will find below a minimal commands to generate local SSL certificate (accept default values when asked for data on stdin):

mkdir -p /etc/lighttpd/ssl/local
cd /etc/lighttpd/ssl/local
openssl genrsa -passout pass:1234 -des3 -out server.key 1024
openssl req -passin pass:1234 -new -key server.key -out server.csr
cp server.key server.key.org
openssl rsa -passin pass:1234 -in server.key.org -out server.key
openssl x509 -req -in server.csr -signkey server.key -out server.crt
cat server.key server.crt > server.pem

Then lighttpd installation:

$SERVER["socket"] == "<YOUR_IP_ADDRESS>:443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/ssl/local/server.pem"
ssl.ca-file = "/etc/lighttpd/ssl/local/server.crt"
}

Then you have to accept server certificate in your browser and voila!

This entry was posted in en and tagged , , . Bookmark the permalink.