SSL certificates are used to verify your identity as well as encrypt traffic between two hosts using public-key cryptography
If SSL utilizes public key cryptography to encrypt the data between two hosts, why is a certificate necessary? The technical answer to that question is that a certificate is not strictly necessary – the data is secure and cannot easily be decrypted by a third party.
So why are certificates necessary? Certificates can be digitally signed by a Certificate Authority (CA). A CA is a trusted third party that has confirmed that the information contained in the certificate is accurate. Without a trusted signed certificate, your data may be encrypted, however, the party you are communicating with may not be who you think they are.
Public encryption keys are therefore distributed via signed and trusted SSL certificates.
Step one, generate yourself a private key for encryption:
To generate a key without a passphrase leave out -des3
openssl genrsa -des3 -out private.key 1024
Alternatively run the command below to convert a key with a passphrase to one without:
openssl rsa -in private.key -out private.key.nopassphrase
When your private key has a passphrase, Apache will have no idea what it is and prompt you for your password whenever the service is (re)started. It is also a good idea to make your private key readable only by root (chmod 400)
Now you can generate a certificate signing request (csr) file from your key file (The certificate signing request (CSR) is an unsigned copy of the SSL certificate) which is submitted to a CA for authenication and signing.
openssl req -new -key private.key -out server.csr
Our CSR has been generated and saved as server.csr. At this point you could send in the request to a CA, pay the fee, prove your identity, and then they would issue you a SSL certificate. All they need is the contents of server.csr which can be retrieved by using the cat command.
Self Signing your csr file
openssl x509 -req -days 3650 -in server.csr -signkey private.key -out server.crt
Alternatively the command below, can be used to create both the private key and self-signed SSL certificate, placing them in the same folder:
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /root/ssl/apache.key -out /root/ssl/apache.crt