Friday, 9 March 2012

Creating Stronger Self-Signed SSL Certificates For Testing

I prefer to use Google Chrome (developer channel) as my web browser and recently it began complaining about the self-signed SSL certificates I was using on a number of internal web applications I have developed. The error Chrome displayed was:


SSL Error Icon
The site's security certificate is signed using a weak signature algorithm!
[snip]


I originally created the certificates using the instructions in the Apache SSL FAQ. It turns out that this results in SSL certificates that use the weaker MD5 signature hash algorithm which is the cause of the complaint. This is easily fixed by adding '-sha1' to the openssl command line when generating the certificate. Like so:

$ openssl req -new -x509 -sha1 -nodes -out server.crt -keyout server.key