LuisLlamas Logo
conseguir-certificado-autofirmado-raspberry-pi

How to Obtain a Self-Signed Certificate for Development on Raspberry Pi

  • 4 min
  • Beginner

When we are doing development and testing tasks, we often need to use HTTPS to verify that everything works correctly.

For this, we don’t need a “real” SSL certificate. For our tests, a self-signed SSL certificate can be more than enough. (in fact, it’s a very common tool in development).

You sign self-signed certificates “yourself because why not”. Obviously, they don’t have great validity or security.

Self-signed SSL certificates are not validated by a certificate authority. In fact, most browsers will show a warning (and rightly so).

But they are useful for internal tests and local development (not for production environments), where we need to test that something works with HTTPS.

So let’s see how to obtain and configure a self-signed SSL certificate on a Linux machine like a Raspberry Pi.

Prepare Your Raspberry Pi

First, we make sure our Raspberry Pi is up to date.

sudo apt update sudo apt upgrade

It must also have the necessary web server installed. For this tutorial, we will use Apache or Nginx interchangeably.

Generate the Self-Signed SSL Certificate

Now, we are going to install OpenSSL, a key tool for generating self-signed certificates.

sudo apt install openssl

We will use OpenSSL to create the self-signed certificate. In this process, two files will be generated:

  • A certificate
  • A private key

First, create a directory for the certificates.

sudo mkdir /etc/ssl/private sudo chmod 700 /etc/ssl/private

Now, generate the private key and the certificate. The following command creates a 2048-bit private key and a self-signed certificate valid for one year:

sudo openssl req -x509 -newkey rsa:2048 -keyout /etc/ssl/private/selfsigned.key -out /etc/ssl/certs/selfsigned.crt -days 365

During this process, you will be asked to enter some details, such as country, state, city, organization name, etc. These details will be incorporated into the certificate.

Configure the Server to Use the Certificate

Configure Apache

If you are using Apache, follow these steps to configure the web server with the self-signed certificate.

Open the Apache SSL configuration file to enable SSL.

sudo nano /etc/apache2/sites-available/default-ssl.conf

Find the following lines and modify them to point to the files we just created:

SSLEngine on
SSLCertificateFile /etc/ssl/certs/selfsigned.crt
SSLCertificateKeyFile /etc/ssl/private/selfsigned.key
Copied!

Now enable the Apache SSL module and the SSL configuration site:

sudo a2enmod ssl sudo a2ensite default-ssl

Finally, restart Apache to apply the changes:

sudo systemctl restart apache2

Configure Nginx to Use the Certificate

If you prefer to use Nginx, follow the steps below to configure the web server with the self-signed certificate.

Open the configuration file for the site you want to modify. For example, if you are using the default site, edit the default file:

sudo nano /etc/nginx/sites-available/default

Now configure the certificate and key paths. Inside the server { } block, make sure the following lines are present and pointing to the files we created:

server {
   listen 443 ssl;
   server_name example.local;

   ssl_certificate /etc/ssl/certs/selfsigned.crt;
   ssl_certificate_key /etc/ssl/private/selfsigned.key;

   location / {
       root /var/www/html;
       index index.html index.htm;
   }
}
Copied!

You can also leave the server listening on port 80 (HTTP) and redirect all traffic to HTTPS by adding the following:

server {
   listen 80;
   server_name example.local;

   return 301 https://$host$request_uri;
}
Copied!

Verify that the Nginx configuration has no errors with the following command:

sudo nginx -t

Finally, restart Nginx to apply the changes:

sudo systemctl restart nginx

Verify the Installation

Now, let’s check that everything is working correctly. Open a web browser and go to https://<your_ip_or_domain>.

You should see the lock 🔒 in the address bar, but with a security warning informing you that the certificate is not validated by a certificate authority.

This is normal for a self-signed certificate (we already anticipated this earlier). If you see the lock, everything is fine.

On this page