Ubuntu – How to self-sign an SSL certificate for a specific domain

opensslsslUbuntu

I've followed these steps to create and sign my own SSL certificate:

openssl genrsa -out server.key 1024
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

In Firefox, I get these warning messages:

The certificate is not trusted because it is self-signed.
The certificate is not valid for any server names.

Of course I get the former warning, but what about the latter? On generating the CSR, I'm asked a lot of questions for which I give blank answers. None of them seem to mention the domain names, though.

Country Name (2 letter code) [AU]:se
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:.
Organizational Unit Name (eg, section) []:.
Common Name (eg, YOUR name) []:.
Email Address []:hanna@example.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

What am I doing wrong?

Best Answer

The Common Name field is where you should put the domain name for the certificate. If it's blank, then the certificate is not valid for any domain.

Related Solutions

Ssl – Dovecot and StartSSL problems with issuer

What error message does the 'openssl verify' return?

It may be the case the applications don't trust the Cert Issuer and need the list of trusted certs.

Try downloading this file http://www.startssl.com/certs/ca-bundle.pem and running 'openssl verify -CAfile ca-bundle.pem mycert.pem' where mycert.pem is your cert.

For eg : % openssl verify -CAfile ca-bundle.pem sub.class1.server.ca.pem sub.class1.server.ca.pem: OK

SSL Error – Unable to Read Server Certificate from File

Is it possible that the lines are ^M-terminated? This is a potential issue when moving files from Windows to UNIX systems. One easy way to check is to use vi in "show me the binary" mode, with vi -b /etc/apache2/domain.ssl/domain.ssl.crt/domain.com.crt.

If each line ends with a control-M, like this

-----BEGIN CERTIFICATE-----^M
MIIDITCCAoqgAwIBAgIQL9+89q6RUm0PmqPfQDQ+mjANBgkqhkiG9w0BAQUFADBM^M
MQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkg^M
THRkLjEWMBQGA1UEAxMNVGhhd3RlIFNHQyBDQTAeFw0wOTEyMTgwMDAwMDBaFw0x^M

you've got a file in Windows line-terminated format, and apache doesn't love those.

Your options include moving the file over again, taking more care; or using the dos2unix command to strip those out; you can also remove them inside vi, if you're careful.

Edit: thanks to @dave_thompson_085, who points out that this answer no longer applies in 2019. That is, Apache/OpenSSL are now tolerant of ^M-terminated lines, so they don't cause problems. That said, other formatting errors, several different examples of which appear in the comments, can still cause problems; check carefully for these if the certificate has been moved across systems.

Related Topic