There are numerous articles I’ve written where a self-signed certificate is a prerequisite for deploying a piece of infrastructure.
Here are the quick steps for installing a self-signed certificate on an Ubuntu server. First we create the destination directory and make sure we have the ssl packages.
# mkdir -p /etc/pki/tls/certs # chmod 755 /etc/pki/tls/certs # apt-get install libssl1.0.0 -y
Then we create the self-signed cert good for 10 years with a CN matching the fully qualified name of the host:
# cd /etc/pki/tls/certs # export FQDN=`hostname -f` # openssl req -x509 -nodes -days 3650 -newkey rsa:2048 \ -keyout $FQDN.key -out $FQDN.crt \ -subj '/C=US/ST=CA/L=SFO/O=myorg/CN=$FQDN'
This puts two files into the directory: $FQDN.crt (public cert) and $FQDN.key (private key).
There are applications that require this public/private pair in a slightly different format. For example, haproxy wants a .pem file which is just a concatenation of these files which can be constructed like:
# cat $FQDN.crt $FQDN.key > $FQDN.pem
And Windows application servers like IIS will want a binary .pfx file:
# openssl pkcs12 -export -out $FQDN.pfx \ -inkey $FQDN.key -in $FQDN.pem