Ssl – Proper method to generate a secure self-signed certificate

apache-2.4sslssl-certificate

I have several websites on which I want to install a self-signed SSL certificate. I tried following various guides, such as this one (all provided more or less the exact same instructions). The given instructions appear to be outdated security-wise, however. I will be the only one using SSL on the sites; people won't know HTTPS is enabled unless they dig for it.

For example, Chrome shows this information for my site, whereas this information is shown for ServerFault. How do I generate a proper, secure SSL/TLS certificate using current crypto standards? In case it matters, the server is running Ubuntu 14.10 Server and Apache 2.4.

Best Answer

I see two things immediately wrong.

  1. You have a certificate for *.example.com, but you're accessing the site as https://example.com. A wildcard certificate won't be accepted for a parent domain. Either access it via https://www.example.com, or make a new certificate.
  2. You're using a SHA1 hash for the cert. This is considered bad. the -sha256 switch in openssl should fix this. Here's an example set of switches: openssl req -new -newkey -sha256 rsa:2048

You might also want to check your SSL settings in Apache, specifically which algorithms are allowed. Turn off SSLv2/SSLv3 at least. If it's just you, I'd turn off everything less than TLSv1.2, and only select high-grade ciphers.

Here's an example pulled from an often-cited page (\ to break the continuous string):

SSLProtocol ALL -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128: \
   DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS

Edit: Either way, Chrome and Firefox are not going to react nicely to self-signed certificates unless you configure them (and/or your OS) to specifically trust the root CA that signed them.

Related Topic