Overview
A self-signed certificate is an SSL certificate that has not been validated by a Certificate Authority (CA). That's what meant in that it is 'self' signed.
The level of encryption can be the same as any other certificate, but because it's not validated by a CA, the browser will display a warning when visiting the site.
For this reason, these types of certificates are only recommended for internal use on your website where no visitor would ever see or come into contact with.
Browser warnings for self-signed certificates
Because a trusted authority did not sign it, browsers cannot trust it. It will still function normally, but visitors to your site will see a warning. Below are examples of what a visitor would see in Firefox and Chrome.
If you want to attract visitors to your site, DO NOT use a self-signed certificate.
Firefox
Chrome
Creating a self-signed certificate
There is no way in the DreamHost panel to add a self-signed certificate. You have two options to create this type of cert.
- Create it via SSH command line
- 3rd party website
Creating a self-signed certificate via SSH
You can run these commands on a Linux or Mac computer, however these instructions show how to log into your DreamHost web server to run the commands.
- Log into your DreamHost web server via SSH.
- Connect to your domain via SSH. Visit the SSH article for instructions.
- Once logged into your server via SSH, make sure you're in your user's home directory:
[server]$ cd ~
- Run openssl to create your private key which you will use to create the CSR. Type in the following to open the OpenSSL command line tool.
[server]$ openssl
- Your command prompt now changes to OpenSSL> which means you’re ready to run the following commands.
- Generate a new RSA private key by entering the following command without a password:
OpenSSL> genrsa -out Private.key 2048 Generating RSA private key, 2048 bit long modulus ........................................................+++ ........................................................+++ e is 65537 (0x10001)
- Using this new private key, create the certificate.
OpenSSL> req -new -x509 -key Private.key -out Certificate.crt -days 365 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]: State or Province Name (full name) [Some-State]: Locality Name (eg, city) []: Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []: Email Address []:
- The step above asks you for your site information to create a CSR. You can just click through these options without entering anything since your browser will throw a warning for the Self-Signed certificate by default.
- Log out of OpenSSL
OpenSSL> quit
- Check to confirm your private key and certificate have been created.
[server]$ ls -1 Certificate.crt Private.key
Now that the private key and certificate have been created, you can install them in your panel using the following article:
Using SSH, you can open the files to view their contents by running cat:
[server]$ cat Certificate.crt [server]$ cat Private.key
Creating a self-signed cert with an online website
There are several websites that allow you to create a self-signed certificate within it such as the following:
Forcing your site to load HTTPS be default
Even after you have added the SSL certificate to your site, visitors will not be able to use it unless they manually type in https before your domain name. This defeats the purpose of adding it in the first place since the certificate is meant to protect all of your website traffic.
There are several ways to fix this. View the following article for instructions on how to create a configuration file to redirect all visitor traffic to the secure version of your URL (HTTPS):
