Self-signed SSL Certificates

If you’re logging into a website or posting to the web unencrypted, you’re doing it wrong. I use WordPress and it’s pretty secure, but there’s nothing they can do about unencrypted traffic between your browser and the server.1 WordPress has a feature to force encrypted logins and administration pages, but that’s not going to do you much good if you don’t have a SSL certificate.

Self-signed certificates can be perfectly safe, but there are a couple things you should know.

  1. Don’t let anybody get your key file. With it, anybody can download your certificate and serve it on their website.
  2. Listen to the warnings your browser tells you about. Know that your self-signed certificate may generate warnings and that the only thing companies like Verisign do is verify the certificate is unique and was generated by a known good source.
  3. You probably want to avoid serving self-signed certificates on sites meant for pulic consumption because of the errors mentioned above. I’m going to offer an exception to this here, but keep the error messages in mind.

Since you are the only one logging into your WordPress site, you don’t have to worry about scaring away readers with a self-signed SSL certificate. If you’re running an e-commerce site, you’re going to want to go ahead and pay for a certificate that’s not going to generate warnings. It’s possible to tell your browser to ignore the warnings, but you’ll still scare away most potential customers.

Generate the Certificate

The first thing we need to do is generate a server key. From there we’ll generate the certifiate signing request and then the certificate. Last, we’ll need to generate a version of the key that doesn’t require a password or you’ll have to enter the password on the console every time Apache restarts.2

openssl genrsa -des3 -out server.key 4096
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
openssl rsa -in server.key -out server.key.insecure
mv server.key server.key.secure
mv server.key.insecure server.key

As I’ve mentioned already, make sure you guard server.key with your life. Ideally you would’ve used a secure password to protect the key at the beginning, so server.key.secure should be safe, but guard that too. You’ll want to make sure you get a copy of server.crt on your local machine. If you’re on a Mac, you can add it the the Keychain so you won’t be bugged every time you visit the site with your self-signed certificate.

Installing the Certificate

In this case, I’m going to install the certificate on an Ubuntu server running Apache, but the process will be similar for any Unix environment. Assuming you already have Apache running, we’re going to move the key and the certificate to the place where they’ll be served from, and enable mod_ssl.

cp server.key /etc/apache2/ssl
cp server.crt /etc/apache2/ssl
a2enmod ssl

Then we’ll need to configure the virtual host. Look in /etc/apache2/sites-available for default-ssl. There you’ll need to configure the host just as you did when you initially set up the server, being sure to change the DocumentRoot and Directory from /var/www if need be. Then, enable the virtual host and restart Apache.

a2ensite default-ssl
service apache2 restart

If everything was configured correctly, you should now be able to visit your site with the https protocol.

WordPress

On a WordPress site, you can force SSL logins and administration by adding the following lines to your wp-config file.

define('FORCE_SSL_LOGIN', true);
define('FORCE_SSL_ADMIN', true);

Update

It has been pointed out by a few people that training people to ignore security warnings isn’t the right approach. I never meant to suggest training people to ignore the warnings. If you’re going to self-sign an SSL certificate for your website, you have to install the certificate locally or you’ll have no way to verify that you’re actually connected to the right host and not a victim of a man-in-the-middle attack.

Resources


  1. I’m not talking about WordPress.com blogs here. If your site is hosted on WordPress.com, they’ve obviously taken care of all this already. 
  2. I’ve been there. It’s not fun. Even a little. 

Published by

Josh Betz

Code Wrangler for WordPress.com VIP & Wisconsin Alum.

14 thoughts on “Self-signed SSL Certificates”

  1. If you don’t want to self-sign, there are also two free options.

    If you have your own domain, https://www.startssl.com/ includes a free certificate if you have an email address, and, their chained root certificate is recognized in all of the recent browsers.

    http://www.cacert.org/ is also free, and their chained root is also recognized. They do operate on donations.

    1. cacert.org itself gave an “Server’s certificate is not trusted” error in Chrome for me. Given that it has around 20-30% market share, that’s a deal breaker.

  2. You can also pick up a dirt cheap Comodo cert from namecheap.com 9 bucks for a year!

    On an unrelated note, your circle profile picture crop make it look as if I have a yarmelke floating above my head. fun.

  3. Just so you’re aware, this can only protect you if you install your signing cert locally to verify the self-signed cert hasn’t been replaced.

    If you don’t, you’re still vulnerable to man-in-the middle attacks since the middle man can proxy your site and sign it with his own self-signed cert (generated on the fly) using the same values you did. The only way you could tell the difference is if you noticed the fingerprint of the signature had changed.

    1. Thanks for pointing that out. I thought I tried to emphasize it in the article, but apparently missed it. One thing though, wouldn’t it be irrelevant if he used the same values you did? If the cert isn’t installed locally, you’re just going to be bypassing warnings from your browser anyway…

    2. I read your comment about getting the cert into your keycain as a suggestion rather than a requirement (wonderful how imprecise the english language is, isn’t it…)

      It’s relevancy depends on whether you actually look at the cert or not. If you just click the button to bypass the warning page it doesn’t matter; but I like to look at the values in certs.

      Also, your comments need the ability to reply to a reply :)

  4. Thanks for the info Josh, great to know how to force secure logins on WP, especially since having it hacked could cause so many issues for any high traffic blog. Real egg on your face.

    I have a suggestion for request creation and SSL installation that makes the process even easier.

    http://www.digicert.com/csr-creation-apache.htm

    DigiCert has an awesome little tool that will actually create 1 command to do everything so you just need to submit it to your SSL provider. Even if you don’t use them for the SSL Certificate, you can still use the tool, it’s open to all.

    I’ll be honest and let you know that I work for DigiCert (I head up the support team there), but since the tool is free to anyone, I don’t mind talking about it.

    Hope it helps!

  5. If you don’t verify signature of your certificate (and just skip the warning without comparing the numbers) then it’s not more secure than HTTP for active attacker (e.g. unsecured Wi-Fi networks, hacked routers).

    This is because attacker can replace your self-signed certificate with attacker-signed certificate, and it will look the same to your browser.

  6. WordPress has a feature to force encrypted logins and administration pages, but that’s not going to do you much good if you don’t have a SSL certificate.  It is really important to verify signature of your certificates. Thanks a lot for this very informative information, I learned a lot of new things and ideas/knowledge in SSL.

  7. Using SSL information can really help when it comes to protection. Well, It really depends on how you used it. Just follow the given guidelines.

  8. Thank you all. Just need a clarification on Self Sign Certification, is there any restriction using 1024bit Key Length self-sign cert for a website (company Web mail) outside US?

    1. As others have hinted at, I wouldn’t self-sign a certificate if it’s something for more than just yourself.

Comments are closed.