Self Signed SSL Certificates


#1

hi
How to create Self Signed SSL Certificates for HTTPS from in my Apache2.4.29 and openssl1.1.0g
-Does the international ban affect the Self signature?
-i am in sudanes
I have tried several times and will not succeed
i need to steps 1.2.3…4… and Command-Line Please
can you help me


#2

Hi,

Although this is off-topic, but here you go:

https://jamielinux.com/docs/openssl-certificate-authority

Create a self-signed tls certificate doesn’t involve any ban since it’s not a public ca.

Thank you


#3

Thank
But applied all the orders competent to sign Self but not useful


#4

If this is the case, what are you trying to do exactly?

Thank you


#5

I have the task of creating a small site in a local server and secure it OpenSSL


#6

From personal experience, I can tell you the how-to linked above by @stevenzhu (https://jamielinux.com/docs/openssl-certificate-authority/) works very well.

If you somehow can’t make it work, you’ll need to tell us exactly why it doesn’t work: which command did you type, what output did it generate and in what way is that different from what you expected.

Also:

Let’s Encrypt does issue publically valid certificates for Sudan: https://crt.sh/?Identity=%.sd&iCAID=16418

Also note this forum is for the Let’s Encrypt community. As far as I know, it’s not intended to be a general “SSL” or “TLS” help forum, if it doesn’t have anything to do with Let’s Encrypt. There is a grey area of course when people with Let’s Encrypt certificates in place ask about TLS stuff not directly related to the certificate itself…


#7

Microsoft Windows [Version 6.1.7601]
Copyright © 2009 Microsoft Corporation. All rights reserved.

C:\Users\mohammedz>cd C:\Apache24\conf

C:\Apache24\conf>httpd
’httpd’ is not recognized as an internal or external command,
operable program or batch file.

C:\Apache24\conf>httpd
’httpd’ is not recognized as an internal or external command,
operable program or batch file.

C:\Apache24\conf>cd …

C:\Apache24>cd bin

C:\Apache24\bin>httpd
AH00526: Syntax error on line 144 of C:/Apache24/conf/extra/httpd-ssl.conf:
SSLCertificateFile: file ‘C:/Apache24/conf/server.crt’ does not exist or is empt
y

C:\Apache24\bin>httpd
AH00526: Syntax error on line 144 of C:/Apache24/conf/extra/httpd-ssl.conf:
SSLCertificateFile: file ‘C:/Apache24/conf/server.crt’ does not exist or is empt
y

C:\Apache24\bin>httpd
(OS 10048)Only one usage of each socket address (protocol/network address/port)
is normally permitted. : AH00072: make_sock: could not bind to address [::]:80
(OS 10048)Only one usage of each socket address (protocol/network address/port)
is normally permitted. : AH00072: make_sock: could not bind to address 0.0.0.0:
80
AH00451: no listening sockets available, shutting down
AH00015: Unable to open logs

C:\Apache24\bin>httpd
(OS 10048)Only one usage of each socket address (protocol/network address/port)
is normally permitted. : AH00072: make_sock: could not bind to address [::]:80
(OS 10048)Only one usage of each socket address (protocol/network address/port)
is normally permitted. : AH00072: make_sock: could not bind to address 0.0.0.0:
80
AH00451: no listening sockets available, shutting down
AH00015: Unable to open logs

C:\Apache24\bin>httpd
(OS 10048)Only one usage of each socket address (protocol/network address/port)
is normally permitted. : AH00072: make_sock: could not bind to address [::]:80
(OS 10048)Only one usage of each socket address (protocol/network address/port)
is normally permitted. : AH00072: make_sock: could not bind to address 0.0.0.0:
80
AH00451: no listening sockets available, shutting down
AH00015: Unable to open logs

C:\Apache24\bin>


#8

I have no idea what you’re trying to do, but the “linux” part from the domain name of the how-to might give you a hint. I have no idea on how to get OpenSSL working on a Windows machine.


#9

Hi,

Can you please explain what are you trying to do?

DID you created the certificates already and just trying to install it? Or you haven’t created it yet??


#10

Thank you my bro:smiley:


#11

yes…
i created the certificates but do not work


#12

Hi @mohammed_max,

It’s expected that when you create a self-signed certificate, it will be rejected by your browser or most other applications, because the certificate is not signed by a trusted authority (like Let’s Encrypt). If this is a server for your own use, you may want to add an exception for the particular self-signed certificate. You can do this in Firefox, for instance. When you load the page, you will see an option to “Add Exception…”.

Are you trying to create a publicly accessible site, or just a site for your own personal use? If you are creating a publicly accessible site, you will need a publicly trusted certificate. For instance you can get one from Let’s Encrypt using https://letsencrypt.org/getting-started/.

If that doesn’t solve your problem, please provide more details about what you did and in what way it doesn’t work. Screenshots would be helpful!


#13

this is command

C:\Apache24\bin>openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -ou
t sd.key
…+++
…+++

C:\Apache24\bin>openssl req -new -x509 -days 360 -key sd.key -subj “/CN=test CA/
0=AAAA test organization” -out sd.crt
req: Skipping unknown attribute “0”

C:\Apache24\bin>openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -ou
t server.key
…+++
…+++

C:\Apache24\bin>openssl req -new -key server.key -subj “/CN=localhost CA/0=AAAA
test organization” -out server.csr
req: Skipping unknown attribute “0”

C:\Apache24\bin>openssl x509 -days 360 -req -in server.csr -CAcreateserial -CA s
d.crt -CAkey sd.key -out server.csr
10108:error:0906D06C:PEM routines:PEM_read_bio:no start line:crypto\pem\pem_lib.
c:691:Expecting: CERTIFICATE REQUEST

C:\Apache24\bin>openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -ou
t client.key

…+++
…+++

C:\Apache24\bin>openssl req -new -key client.key -subj “/CN=Test User/0=AAAA Tes
t organization/UID=testuser1” -out client.crt
req: Skipping unknown attribute “0”

C:\Apache24\bin>openssl x509 -days 360 -req -n client.csr -CAcreateserial -CA sd
.crt -CAkey sd.key -out client.crt
x509: Unknown digest n
x509: Use -help for summary.

C:\Apache24\bin>openssl pkcs12 -in client.crt -inkey client.key -export -passwor
d pass: -out client.p12
unable to load certificates

C:\Apache24\bin>


#14

I’m pretty sure this should be the letter O, not the number 0.


#15

Thank again
I will try


#16

Your expectation was correct but there is another mistake
Look

C:\Apache24\bin>openssl req -new -key server.key -subj “/CN=localhost CA/O=AAAA
test organization” -out server.csr

C:\Apache24\bin>openssl x509 -days 360 -req -in server.csr -CAcreateserial -CA s
d.crt -CAkey sd.key -out server.csr
7884:error:0906D06C:PEM routines:PEM_read_bio:no start line:crypto\pem\pem_lib.c
:691:Expecting: CERTIFICATE REQUEST


#17

I’ve found it I’ve been wrong in stretch(.csr)
He’s wrong
-out server.csr
that is right
-out server.crt


#18

Hi @mohammed_max,

Can you please explain again why you are creating a self-signed certificate and what you expect to use this certificate for?

As @jsha described before, self-signed certificates will always produce a browser error in each new browser that encounters them, because the browser has no way of knowing if the information in the self-signed certificate is really correct or not (because anyone in the world can always create a self-signed certificate containing any information of their choice).


#19

…and why you’re asking about it here?


#20

I will mention again (which I think other users have already said) that although most certificate authorities are not willing to issue publicly-trusted certificates to users in the Sudan, or have trouble accepting payments from Sudanese customers, Let’s Encrypt does not block or forbid most users in the Sudan from obtaining certificates. In fact, there are already about 2,000 Let’s Encrypt certificates issued to users with .sd domain names

https://crt.sh/?Identity=%.sd&iCAID=16418

So, if you have any application that could benefit from a publicly-trusted certificate, you can probably get one from Let’s Encrypt for free. (In that case you would probably want to use a Let’s Encrypt client application rather than a series openssl commands.)