How to create self-signed certificates for use with Apache/SSL
To create a self-signed certificate for use with a webserver such as Apache follow the following steps:
Generate a server key:
openssl genrsa -aes128 -out server.key 4096
Next, create a certificate signing request with it. This will prompt for several things such as country, state, etc. Make certain that “Common Name (eg, YOUR name)” matches the fully qualified domain name of your server (or IP address if you do not have one). You may create a challenge password at this point, however it will mean more typing for you.
Create the certificate signing requests:
openssl req -new -key server.key -out server.csr
Next, sign the certificate signing request. The following example expires the key in 365 days:
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Now, make a version of the server.key which does not require a password:
openssl rsa -in server.key -out server.key.insecure
mv server.key server.key.secure
mv server.key.insecure server.key
Be careful with these files as they are quite sensitive and permissions should set very carefully. Chown them to root (if you are not already root). Some of the sites I have found say that you can chmod 000 them and it does seem to work in my experiments. Root always retains an effective 600 (read) rights on everything.
You now have the following files which are suitable for use on your self-signed certificate site:
server.crt: The self-signed server certificate
server.csr: Server certificate signing request
server.key: The private server key
(does not require a password when starting Apache
server.key.secure: The private server key
(it will require a password when starting Apache)
NOTE: These instructions have been paraphrased for my use. The original site can be found here.