Creating a self signed SSL Certificate – A Brain Dead Script

I have an SSL instance running in the house so that I can access my home Subversion installation remotely. The certificate I generated for this site expired a few months ago and I have procrastinated regenerating it because I seemed to remember it was complicated and I didn’t want to spend the time.

Well, it winds up its not that bad. I found a great summary of the commands necessary in order to do it, and threw together a very quick script to string them all together in order to create SSL certificates for a general host name and figured I’d throw it up here.

I generalized it thinking that I could have two certificates for the virtual hosts I have running on my home server. Unless I’m looking at old information, however, it doesn’t seem that you can have different SSL certificates for virtual hosts running on the same IP address under Apache 2. If you can, and someone knows how to configure Apache to do so, please let me know.

Here’s the script I used to generate the self signed SSL certificates for the house. Super simple. Now I just have to remember to source the script ;).

#!/bin/bash
# Cert4Host.sh - Generate SSL Certificates for a host name.

HOSTNAME="$1";

if [ -z "${HOSTNAME}" ]; then
echo "Usage : Cert4Host.sh HOSTNAME";
exit;
fi

if [ ! -e pass.key ]; then
openssl genrsa -des3 -out pass.key 1024
else
echo "Key already exists ... skipping ..."
fi

openssl rsa -in pass.key -out $HOSTNAME.key
openssl req -new -key $HOSTNAME.key -x509 -out $HOSTNAME.crt -days 999

sudo cp $HOSTNAME.key /usr/local/apache2/conf/ssl.key
sudo cp $HOSTNAME.crt /usr/local/apache2/conf/ssl.crt

Don’t forget to change your Apache SSL configuration to point to the new certificate and key (<hostname>.crt and <hostname>.key, respectively) and restart Apache.

Advertisements

3 thoughts on “Creating a self signed SSL Certificate – A Brain Dead Script

  1. With regards to running multiple certificates for namebased virtual hosts: Not possible. This is a protocol restriction, not an apache one. It boils down to the fact that apache must present the certificate to the browser before it can know what virtual host the browser is trying to connect to.

  2. Jaco,

    Thanks for the heads up and the explanation of why this wouldn’t work. When you think about it, it makes perfect sense.

Comments are closed.