{ rené.winkelmeyer }

Self-signed SSL host certificates are for beginners

May 04, 2015
2 minutes

I normally don’t rant. But in the last days I’ve seen in various occasions comments about stuff that’s not working with a self-signed SSL host certificate.

I’m seeing this especially in the Domino area where it was (is) easy to create a simple self-signed SSL host certificate for server xyz.company.com. In my opinion too easy. Even if it’s only for a very specific purpose (like giving a few users access to a web/mobile service) the good - and only - practice is to use an Certification Authority (CA) issued certificate.

The amount of work to do so is not really high. See the following examples with OpenSSL.

Create CA Private Key

openssl genrsa -des3 -out yourca.key 4096

Create CA Certificate (10 years validity in this case)

openssl req -new -x509 -days 3650 -key yourca.key -out yourca.crt

Create Private Key for your host (i. e. traveler)

openssl genrsa -des3 -out traveler.key 4096

Create Certificate Signing Request for your host

openssl req -new -key traveler.key -out traveler.csr

Sign host Certificate with CA Certificate

openssl x509 -req -days 730 -in traveler.csr -CA yourca.crt -CAkey yourca.key -set_serial 01 -out traveler.crt

The benefit of a CA is that you can just deploy the CA certificate to your clients/mobile devices and they’ll trust any sites that have been issued with this CA.

Or - that’s what I’m using for all my sites like this blog - get a wild card (*.yoursite.com) from a vendor. It’s more than affordable like from StartSSL. The vendors are normally included in all operating systems, browsers etc. Free yourself from every hassle and stop blaming other technology/browsers/apps when they’ve a problem with your self-signed certs.