How do I create a self-signed SSL certificate?
Ubuntu, even the 'minimal' flavour, comes with the ssl-cert package pre-installed, which means you don't need to do anything.
The files you're looking for are already on your system:
/etc/ssl/certs/ssl-cert-snakeoil.pem
/etc/ssl/private/ssl-cert-snakeoil.key
Advanced:
If for some reason you need to create a fresh certificate, you can run
sudo make-ssl-cert generate-default-snakeoil --force-overwrite
If you want to change the expiration date of you certificate, you can manipulate the make-ssl-cert script at /usr/sbin/make-ssl-cert. Around like 124 there's a line similar to this:
openssl req -config $TMPFILE -new -x509 -nodes \
Where you can change the expiration date by adding the -days argument:
openssl req -config $TMPFILE -new -days 365 -x509 -nodes \
More options can be found in the manual page of req.
As already mentioned, Ubuntu Server comes with the necessary tools. Depending on your server version you'll have to look up the specific documentation. I'll try to summarize the self-signed certificate generation process of the current LTS (12.04).
First you generate the keys for the Certificate Signing Request (CSR):
openssl genrsa -des3 -out server.key 2048
It's up to you to enter a passphrase or not. If you do, everytime you (re)start a service usign that certificate, you'll have to provide the passphrase. Otoh you can create an "insecure" key without a passphrase from the secure one:
openssl rsa -in server.key -out server.key.insecure
# shuffle the key names to continue without passphrases
mv server.key server.key.secure
mv server.key.insecure server.key
And now you'll create the CSR from the key. With the CSR and the key a self-signed certificate can be generated:
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
The last step consists of installing the certificate and the key, in Debian/Ubuntu usually in /etc/ssl:
sudo cp server.crt /etc/ssl/certs
sudo cp server.key /etc/ssl/private
And finally the applications using the certificate/key have to be configured accordingly.