Pen & Paper

Making Your Browser to Trust a Self-signed SSL Cert

29 Nov 2014

Enabling https connection on LAMP can be easily done with 2 commands:

  1. sudo a2enmod ssl
  2. sudo a2ensite default-ssl

Restart the apache server sudo service apache2 restart and we will have a secure connection.

However, whether we use openssl to create a self-signed certificate or use the default “snakeoil” certificate, we will get a browser warning about an untrusted ssl certificate when we visit our site. The browser will only trust a SSL cert that is signed by a recognized CA. Since “we” are not recognized as a trusted issuer, the self-signed SSL certificate that we have created is not deemed untrustworthy (despite the fact that we are the owner of the server and we know we can trust our own server). To get rid of the browser warning, we can either pay to get a SSL certificate from a recognized CA or do the following to get the browser to trust our self-signed SSL certificate. The main tool is openssl. It does not matter whether we perform the steps on the host or on a local computer. What is important is to know where to put the “key” and the “cert” after they are created. For Windows users, there is a similar tool on IIS that can be used to create a self-signed cert but in order to follow the steps below, it may just be easier to ssh to the host and use openssl.

  1. Create a root key openssl genrsa -out root.key 2048
    (this is the main key that will be used to create all trusted certs.)
  2. Create root cert openssl req -x509 -new -nodes -key root.key -days 1800 -out root.pem
    (answer the prompts so that the information can be embeded in your certificate.)
  3. Create a host key for your apache server openssl genrsa -out apache.key 2048
  4. Create a certificate signing request (csr) for your host certificate
    openssl req -new -key apache.key -out apache.csr
    (use the domain name as the “Comman Name”.)
  5. Sign the csr using the root.key
    openssl x509 -req -in apache.csr -CA root.pem -CAkey root.key -CAcreateserial -out apache.crt -days 1500
    (-days here should be equal or less than that of the root cert.)
  6. Repeat step 3-5 to generate additional key (apacheX.key), csr (apacheX.csr) and crt (apacheX.crt) if there are other servers that need a SSL cert.

Now all the necessary key and cert have been generated. All we need is to put them into the right place.

  1. Import root.pem to the browser. For Chrome, look in Settings -> Advanced Settings -> HTTPS/SSL -> Manage Certificates -> Authorities -> Import. For Firefox, look in Preferences -> Advanced -> View Certificates -> Authorities -> Import.
  2. Any devices accessing the apache server should import the same root.pem.
  3. On the apache server, create a folder sudo mkdir /etc/ssl/localcerts
    and move the key and cert to the newly created folder sudo cp apache.* /etc/ssl/localcerts/
  4. Make the apache.* less open sudo chmod 600 /etc/ssl/localcerts/apache.*
  5. Enable ssl sudo a2enmod ssl
  6. Enable the default-ssl virtual host sudo a2ensite default-ssl
  7. Edit /etc/apache2/sites-available/default-ssl.conf. Change the settings of SSLCertificateFile and SSLCertificateKeyFile to point to “apache.crt” and “apache.key”. In our case, it should point to /etc/ssl/localcerts/apache.crt and /etc/ssl/localcerts/apache.key respectively.
  8. Restart apache sudo service apache2 restart