Whenever you want to secure your web applications with SSL, you usually purchase an SSL certificate from a reputable certificate authority (CA) such as VeriSign, GeoTrust, or Thwarte, among others. The certificates are not cheap, ranging anywhere from $50-$1000/year depending on their class.
For testing purposes or to secure your personal/internal web applications, there is no need to spend that kind of money — you can issue yourself an SSL certificate. The only problem is that browsers will flag it as “untrusted”, although Firefox will allow you to create an exception and never bother you again (good!). Chrome and Internet Explorer display ugly warning messages in the URL bar, etc.
To create your own SSL certificate, the process is two-fold: first, you need to install the required tools, and then you need to generate the certificate itself.
(1) Install the OpenSSL Toolkit
- You must have the Microsoft Visual C++ 2008 Redistributable Package installed.
- You might want to temporarily disable antimalware/antivirus scanners while you install the OpenSSL Kit.
- You can obtain the OpenSSL Toolkit binary from http://slproweb.com/products/Win32OpenSSL.html. (Downloaded file “Win64 OpenSSL v1.0.1c” because I am using Win7 x64).
- Run the .exe to install OpenSSL and choose to keep its .dlls in its own /bin directory.
- Re-enable antimalware/antivirus products at this point, if you had disabled them.
- Add the %openssl_home%/bin directory to the PATH environment variable for global command-line access.
(2) Generate the SSL Certificate
- Create a PEM file containing a 1024-bit RSA private key that is encrypted using Triple-DES:
openssl genrsa -des3 -out server.key 1024
- Generate the CSR (Certificate Signing Request), which contains X.509 information about the protected.
openssl req -new -key server.key -out server.csr
- Remove the passphrase from the PEM file, so that there is no prompting for it every time the certificate is loaded.
ren server.key server.key.original openssl rsa -in server.key.original -out server.key
- Generate the SSL certificate:
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
The SSL certificate will expire in 365 days. The web server to facilitate the secure connections with SSL will need the .crt and .key files.