Here are the few steps to generate the private key, certificate signed request, self-signed certificate and how to get rid of the passphrase request when starting you’re application .
Okay, let’s start. Go to the directory you want to store you’re certificate stuff. This example will assume you’re common name (aka : host name) will be “secure.certificate.tld”.
The whole process explained down below is a step-by-step procedure for every stage. There is a single command that can do it all (generate the private key without passphrase and the CSR). You can use the following single step command if this is what you need and you should be good to go requesting the certificate from the Certificate Authority (or your SSL vendor) or jump to the self-generated certificate step further below otherwise.
Generate a private key without passphrase + CSR :
openssl req -new -newkey rsa:2048 -nodes -keyout secure.certificate.tld.key -out secure.certificate.tld.csr
Manual step-by-step procedure :
First, create a private key :
openssl genrsa -des3 2048 > secure.certificate.tld.key
Second, create a certificate signed request (known as CSR) :
openssl req -new -key secure.certificate.tld.key > secure.certificate.tld.csr
Almost done. You may now provide the CSR to your Certificate Authority (CA) issuer to obtain you’re certificate. You may also generate a self-signed certificate if you do not need to purchase one. It is absolutely secure to use a self-signed certificate, but a warning will be displayed to you’re visitors that the certificate is not valid. That’s why it’s not appropriate for online sales.
openssl req -x509 -key secure.certificate.tld.key -in secure.certificate.tld.csr > secure.certificate.tld.crt
Now, you may notice that every time you start you’re application (that use you’re certificate) ask for passphrase before starting. You can get rid of the passphrase with the following steps.
Backup the key file before :
cp -p secure.certificate.tld.key secure.certificate.tld.key.bak
Then, remove the passphrase :
openssl rsa -in secure.certificate.tld.key.bak -out secure.certificate.tld.key
For more security, make sure the key file is only readable by root :
chmod 400 secure.certificate.tld.key