SSL Certificates

Strictly speaking, this isn’t a WordPress post. However, it is related to the server setup I use for WordPress development and testing.

I’ve been using Apache’s built in snakeoil SSL certificate because the server was only accessible on port 443. However, this gave that ugly and very scary looking untrusted SSL certificate error whenever I accessed my own development server. One day, I got sick of that extra click to confirm that I wanted to continue, so I decided to do something about it.

Generating a new Certificate

Information about generating self-signed SSL certificates is available in the documentation located at /usr/share/doc/apache2.2-common/README.Debian.gz

Run the command

make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /path/to/cert-file.crt

This will prompt for the hostname, where I put the domain name of the dyndns address. This command generates both the public and private key and puts them in the same file. The documentation suggests putting it in /etc/ssl/private

Configuring Apache

Modify the apache2 configuration in /etc/apache2/sites-enabled/default-ssl
Change the value of “SSLCertificateFile” to the path of the newly generated certificate. Comment out “SSLCertificateKeyFile” as both parts are in the certificate file.

Generating the Public Key for the Cert

Generate the public key portion of the certificate by running

openssl x509 -in /path/to/cert-file.crt -out /path/to/output -pubkey

Importing the Certificate

Copy the public certificate file to the host machine. You can also do this on other machines used regularly to access the web server.

From Start -> Run, type in ‘mmc’. Go to File->Add/Remove Snap-in, and add the certificate snap-in.
Expand Trusted Root Certification Authorities ->Certificates, then go to Action->All Tasks->Import in the menu.

Import the public key file. The default location is Trusted Root Certification Authority.

After this, Chrome and IE will no longer give scary looking warnings about untrusted certificates.