Creating SSL Certificates for Secure HTTP

ssl_padlockThe use of Secure HTTP (or HTTPS) is essential to avoid getting my browser communication hijacked, or hacked.  For savvy web users, browsing a site with HTTPS is a must to protect login and other private information.  As a Web Application administrator, the way to accomplish this is to use the Secure Socket Layer (SSL) library in combination with an Apache web server.

The widely used SSL library is by OpenSSL.  It’s constantly updated, and it’s freely available.  I use it because it also compiles well on Linux and Solaris operating systems.   The source code is portable and has been tested in many flavors of Unix.  Windows install is available also.  Compiling the source code is as straight forward as running the “configure” script and run “make”.  The default install for OpenSSL is usually in /usr/local/ssl directory.

Once installed, the first step is to create a Key Pair:

/usr/local/ssl/bin/openssl genrsa -des3 -rand <anyfile1>:<anyfile2>:<anyfile3> -out 1024

  • The anyfile1, anyfile2, or anyfile3 can be any file in the system.  There has to be at least one file specified.
  • Specifying a pass phrase is required in this case.  But for convenience, I might opt to do it without specifying a password.  To disable the password prompt, remove the “-des3” option.

Next create a Certificate Signing Request:

/usr/local/ssl/bin/openssl req -new -sha256 -key -out

Fill in the requested information.  At the end of the questionnaire, a “challenge password” is usually not required.

Updated September 10, 2014: Due to SHA-1 weakness, it’s imperative to let the intermediate cert provider generate a cert without SHA-1 encryption.  Hence the -sha256 option when generating the CSR.

Submit the CSR to a CA such as Thawte or Verisign.  After payment is processed, they will send an email with directions how to get the certificate file.  It might require cut and paste of the cert code into a file, usually with  a .crt or .cert suffix (such as

For development or QA environments, where a valid signed certificate is not required, I can create a self-signing one.  To create a “fake” (aka Snake Oil) certificate, use the following:

/usr/local/ssl/bin/openssl x509 -req -days 999 -in -signkey -out

Both the cert and key files are required for the web server.  I’ll cover Apache web server installation in the next post.

5 thoughts on “Creating SSL Certificates for Secure HTTP

  1. Pingback: Setting Up Apache Web Server With Secure HTTP | Building IT

  2. Pingback: SSL From Java Client | Building IT

  3. Congrats! I got the email and saw you go the “job”! I am a provisional in NYJL- hopefully I will see you around. I just got put on DIAD and I am very excited!

  4. If I understand your question correctly Krishan I have aggregated this information from a variety of sources all of which, I believe, I’ve sourced and/or linked to in the put up. You can check the authenticity of each individual by clicking as a result of or browsing for that report. Whilst I trust many of the data hence, why I have passed it on these should only be used as guidelines to use for a starting point as, in my experience, the brand and the category impact the results.

  5. Hello admin, i must say you have high quality content here.
    Your page should go viral. You need initial traffic only.
    How to get it? Search for: Mertiso’s tips go viral

Leave a Reply

Your email address will not be published. Required fields are marked *