When we are doing development and testing tasks, we often need to use HTTPS to verify that everything is working correctly.
For this, we do not need a “real” SSL certificate. For our tests, a self-signed SSL certificate may be more than sufficient. (in fact, it’s a very common tool in development).
Self-signed certificates are “signed by yourself because potato.” Obviously, they do not have much validity or security.
Self-signed SSL certificates are not validated by a certificate authority. In fact, most browsers will show a warning (and rightly so).
But they are useful for internal testing and local development (not for production environments), where we need to test that something works with HTTPS.
So let’s see how to obtain and configure a self-signed SSL certificate on a Linux machine like Raspberry Pi.
Prepare Your Raspberry
First, we make sure that our Raspberry Pi is up to date.
sudo apt update
sudo apt upgradeIt also needs to have the necessary web server installed. For this tutorial, we will use either Apache or Nginx interchangeably.
Generate the Self-Signed SSL Certificate
Now, we will install OpenSSL, which is a key tool for generating self-signed certificates.
sudo apt install opensslWe will use OpenSSL to create the self-signed certificate. In this process, two files will be generated:
- A certificate
- A private key
First, we create a directory for the certificates.
sudo mkdir /etc/ssl/private
sudo chmod 700 /etc/ssl/privateNow, we generate the private key and the certificate. The following command creates a 2048-bit private key and a self-signed certificate valid for one year:
sudo openssl req -x509 -newkey rsa:2048 -keyout /etc/ssl/private/selfsigned.key -out /etc/ssl/certs/selfsigned.crt -days 365During this process, you will be prompted to enter some details such as the country, state, city, organization name, etc. These details will be incorporated into the certificate.
Configure the Server to Use the Certificate
Configure Apache
If you are using Apache, follow these steps to configure the web server with the self-signed certificate.
Open the Apache SSL configuration file to enable SSL.
sudo nano /etc/apache2/sites-available/default-ssl.confFind the following lines and modify them to point to the files we just created:
SSLEngine on
SSLCertificateFile /etc/ssl/certs/selfsigned.crt
SSLCertificateKeyFile /etc/ssl/private/selfsigned.keyNow we enable the SSL module of Apache and the SSL configuration site:
sudo a2enmod ssl
sudo a2ensite default-sslFinally, we restart Apache to apply the changes:
sudo systemctl restart apache2Configure Nginx to Use the Certificate
If you prefer to use Nginx, follow the steps below to configure the web server with the self-signed certificate.
We open the configuration file of the site we wish to modify. For example, if you are using the default site, edit the default file:
sudo nano /etc/nginx/sites-available/defaultNow we configure the paths for the certificate and the key. Inside the server { } block, we make sure that the following lines are present and pointing to the files we have created:
server {
listen 443 ssl;
server_name example.local;
ssl_certificate /etc/ssl/certs/selfsigned.crt;
ssl_certificate_key /etc/ssl/private/selfsigned.key;
location / {
root /var/www/html;
index index.html index.htm;
}
}You can also keep the server listening on port 80 (HTTP) and redirect all traffic to HTTPS by adding the following:
server {
listen 80;
server_name example.local;
return 301 https://$host$request_uri;
}Check that the Nginx configuration has no errors with the following command:
sudo nginx -tFinally, we restart Nginx to apply the changes:
sudo systemctl restart nginxVerify the Installation
Now, let’s check that everything is working correctly. Open a web browser and access https://<your_ip_or_domain>.
You should see the lock 🔒 in the address bar, but with a security warning stating that the certificate is not validated by a certificate authority.
This is normal for a self-signed certificate (as we anticipated before). If you see the lock, then everything is fine.