How to Generate Self-Signed SSL Certificates on FreeBSD Operating System

How to Generate Self-Signed SSL Certificates on FreeBSD Operating System
by İbrahim Korucuoğlu ( @siberoloji) |
Tags:
Categories:

  6 minute read  

Introduction

Secure Sockets Layer (SSL) and its successor, Transport Layer Security (TLS), are cryptographic protocols designed to provide secure communication over a computer network. In today’s digital landscape, implementing SSL/TLS certificates is essential for securing web applications, mail servers, and other network services. While certificates from trusted Certificate Authorities (CAs) are preferred for production environments, self-signed certificates offer a cost-effective solution for development, testing, or internal applications.

This comprehensive guide will walk you through the process of generating and implementing self-signed SSL certificates on FreeBSD, covering everything from basic certificate creation to advanced configurations and troubleshooting.

Understanding SSL Certificates

Before diving into the technical steps, it’s important to understand what SSL certificates are and how they work:

  • SSL/TLS Certificates: Digital documents that verify the identity of a website or server and enable encrypted connections.
  • Certificate Authority (CA): An entity that issues digital certificates after verifying the identity of the certificate holder.
  • Self-Signed Certificates: Certificates that are signed by the same entity whose identity they certify, rather than by a trusted CA.
  • Public Key Infrastructure (PKI): The framework of encryption and cybersecurity that protects communications between the server and client.

Prerequisites

Before generating self-signed SSL certificates on FreeBSD, ensure you have:

  • Root or sudo access to your FreeBSD system
  • Basic understanding of terminal commands
  • Knowledge of which services you plan to secure with the certificates
  • Familiarity with text editors like vi, nano, or ee

Methods for Generating Self-Signed Certificates

FreeBSD offers several tools for generating self-signed SSL certificates. We’ll cover three primary methods:

  1. Using OpenSSL (built into FreeBSD)
  2. Using the security/easy-rsa port
  3. Creating a personal Certificate Authority (CA)

Method 1: Using OpenSSL Directly

OpenSSL is a robust, full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. It’s included in the FreeBSD base system, making it the most straightforward option.

Basic Self-Signed Certificate Creation

  1. First, create a directory to store your certificates:
mkdir -p /usr/local/etc/ssl/certs
mkdir -p /usr/local/etc/ssl/private
chmod 700 /usr/local/etc/ssl/private
  1. Generate a private key:
openssl genrsa -out /usr/local/etc/ssl/private/server.key 2048
  1. Create a Certificate Signing Request (CSR):
openssl req -new -key /usr/local/etc/ssl/private/server.key -out /usr/local/etc/ssl/certs/server.csr

During this process, you’ll be prompted to enter various details:

  • Country Name (2 letter code)
  • State or Province Name
  • Locality Name
  • Organization Name
  • Organizational Unit Name
  • Common Name (fully qualified domain name)
  • Email Address

The Common Name is particularly important—it should match the domain name you’re securing.

  1. Self-sign the certificate:
openssl x509 -req -days 365 -in /usr/local/etc/ssl/certs/server.csr \
    -signkey /usr/local/etc/ssl/private/server.key \
    -out /usr/local/etc/ssl/certs/server.crt

This creates a certificate valid for 365 days.

Creating a Certificate with Subject Alternative Names (SANs)

Modern browsers require SANs for multi-domain certificates. To create a certificate with SANs:

  1. Create an OpenSSL configuration file:
ee /usr/local/etc/ssl/openssl.cnf
  1. Add the following configuration:
[req]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn

[dn]
C=US
ST=YourState
L=YourCity
O=YourOrganization
OU=YourOrganizationalUnit
CN=your-primary-domain.com

[req_ext]
subjectAltName = @alt_names

[alt_names]
DNS.1 = your-primary-domain.com
DNS.2 = www.your-primary-domain.com
DNS.3 = subdomain.your-primary-domain.com
IP.1 = 192.168.1.100
  1. Generate the key and certificate using this configuration:
openssl req -new -x509 -nodes -days 365 \
    -keyout /usr/local/etc/ssl/private/server-with-sans.key \
    -out /usr/local/etc/ssl/certs/server-with-sans.crt \
    -config /usr/local/etc/ssl/openssl.cnf

Method 2: Using Easy-RSA

Easy-RSA is a small PKI management utility that simplifies the process of building a Certificate Authority and generating certificates.

  1. Install Easy-RSA:
pkg install easy-rsa
  1. Create a working directory:
mkdir -p /usr/local/etc/easyrsa
cd /usr/local/etc/easyrsa
  1. Initialize the PKI:
easyrsa init-pki
  1. Build a Certificate Authority:
easyrsa build-ca

This will prompt you for a CA name and passphrase.

  1. Generate a server certificate:
easyrsa build-server-full server.example.com

You’ll be prompted for the CA passphrase you set earlier.

  1. The certificates and keys will be stored in:
    • CA certificate: /usr/local/etc/easyrsa/pki/ca.crt
    • Server certificate: /usr/local/etc/easyrsa/pki/issued/server.example.com.crt
    • Server key: /usr/local/etc/easyrsa/pki/private/server.example.com.key

Method 3: Creating a Personal Certificate Authority

For environments where you need multiple certificates, creating a personal CA allows you to issue certificates that will be trusted once the CA is added to client systems.

  1. Create directories for your CA:
mkdir -p /usr/local/etc/ssl/CA/{certs,crl,newcerts,private}
chmod 700 /usr/local/etc/ssl/CA/private
  1. Create necessary files:
touch /usr/local/etc/ssl/CA/index.txt
echo "01" > /usr/local/etc/ssl/CA/serial
  1. Create a configuration file for your CA:
ee /usr/local/etc/ssl/CA/openssl.cnf

Add a comprehensive CA configuration (sample configuration would be too lengthy to include here, but standard OpenSSL CA configurations are readily available online).

  1. Generate the CA private key:
openssl genrsa -aes256 -out /usr/local/etc/ssl/CA/private/ca.key 4096
  1. Create the CA certificate:
openssl req -config /usr/local/etc/ssl/CA/openssl.cnf \
    -key /usr/local/etc/ssl/CA/private/ca.key \
    -new -x509 -days 3650 -sha256 -extensions v3_ca \
    -out /usr/local/etc/ssl/CA/certs/ca.crt
  1. Generate a server key:
openssl genrsa -out /usr/local/etc/ssl/CA/private/server.key 2048
  1. Create a CSR for the server:
openssl req -config /usr/local/etc/ssl/CA/openssl.cnf \
    -key /usr/local/etc/ssl/CA/private/server.key \
    -new -sha256 -out /usr/local/etc/ssl/CA/certs/server.csr
  1. Sign the server certificate with your CA:
openssl ca -config /usr/local/etc/ssl/CA/openssl.cnf \
    -extensions server_cert -days 365 -notext -md sha256 \
    -in /usr/local/etc/ssl/CA/certs/server.csr \
    -out /usr/local/etc/ssl/CA/certs/server.crt

Implementing SSL Certificates on Common Services

Configuring Nginx

  1. Install Nginx if not already installed:
pkg install nginx
  1. Configure Nginx to use your SSL certificate:
ee /usr/local/etc/nginx/nginx.conf

Add or modify the server block:

server {
    listen 443 ssl;
    server_name your-domain.com;

    ssl_certificate /usr/local/etc/ssl/certs/server.crt;
    ssl_certificate_key /usr/local/etc/ssl/private/server.key;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;

    # Additional SSL configuration...

    location / {
        root /usr/local/www/nginx;
        index index.html index.htm;
    }
}
  1. Test the configuration and restart Nginx:
nginx -t
service nginx restart

Configuring Apache

  1. Install Apache if not already installed:
pkg install apache24
  1. Enable SSL module:
ee /usr/local/etc/apache24/httpd.conf

Uncomment the line:

LoadModule ssl_module libexec/apache24/mod_ssl.so
  1. Configure Apache to use your SSL certificate:
ee /usr/local/etc/apache24/extra/httpd-ssl.conf

Update the configuration:

<VirtualHost *:443>
    ServerName your-domain.com
    DocumentRoot "/usr/local/www/apache24/data"
    
    SSLEngine on
    SSLCertificateFile "/usr/local/etc/ssl/certs/server.crt"
    SSLCertificateKeyFile "/usr/local/etc/ssl/private/server.key"
    
    # Additional SSL configuration...
</VirtualHost>
  1. Test the configuration and restart Apache:
apachectl configtest
service apache24 restart

Advanced Configuration and Best Practices

Enhancing Security

To improve the security of your SSL implementation:

  1. Use strong cipher suites:
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256';
  1. Enable HSTS (HTTP Strict Transport Security):
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
  1. Set appropriate permissions for private keys:
chmod 600 /usr/local/etc/ssl/private/server.key

Certificate Renewal

Self-signed certificates expire based on the validity period specified during creation. To renew:

  1. Check the expiration date:
openssl x509 -in /usr/local/etc/ssl/certs/server.crt -noout -enddate
  1. Follow the same process used for initial creation to generate a new certificate.

Troubleshooting Common Issues

Certificate Not Trusted

When using self-signed certificates, browsers will display warnings. To resolve:

  1. Development environment: Add an exception in your browser.
  2. Internal applications: Import your CA certificate into your organization’s trusted root store.

Name Mismatch Errors

If you receive errors about the certificate name not matching the domain:

  1. Ensure the Common Name (CN) or Subject Alternative Name (SAN) in your certificate matches the domain you’re accessing.
  2. Use the -subj option with OpenSSL to explicitly set the subject:
openssl req -new -key server.key -out server.csr -subj "/CN=your-domain.com"

Permission Issues

If your web server can’t read the certificates:

  1. Check the ownership and permissions:
ls -l /usr/local/etc/ssl/certs/server.crt
ls -l /usr/local/etc/ssl/private/server.key
  1. Adjust as needed:
chown root:www /usr/local/etc/ssl/private/server.key
chmod 640 /usr/local/etc/ssl/private/server.key

Conclusion

Generating and implementing self-signed SSL certificates on FreeBSD is a straightforward process that significantly enhances the security of your internal or development systems. While self-signed certificates aren’t suitable for public-facing production environments, they provide the same level of encryption as certificates from trusted CAs, making them perfect for internal services, development environments, and testing.

Remember that security is an ongoing process. Regularly review and update your SSL configurations to address new vulnerabilities and maintain best practices. When your application moves to production, consider upgrading to certificates from trusted CAs to avoid browser warnings and provide a seamless experience for your users.

By following the steps outlined in this guide, you can effectively secure your FreeBSD services with SSL encryption, protecting sensitive data and ensuring the integrity of your communications.


< Disabling Root Login via SSHHow to Configure Snort >