Self-Signed Certificates

Self-signed certificates are useful for development, testing, or internal deployments where you don’t need public certificate authority validation. While not recommended for production internet-facing deployments, they provide encryption and can be quickly generated without external dependencies.

Caution

Production Considerations Self-signed certificates will trigger security warnings in browsers and are not trusted by default. For production deployments, consider using free certificates from Let’s Encrypt instead.

Prerequisites

Ensure you have OpenSSL installed on your system:

# RHEL/CentOS/Fedora
sudo dnf install openssl

# Ubuntu/Debian
sudo apt-get install openssl

# Verify installation
openssl version

Generate Private Key

Create a 2048-bit RSA private key:

openssl genrsa -out yourdomain.com.key 2048

Danger

Private Key Security Never share your private key with anyone. Store it securely and limit file permissions:

chmod 600 yourdomain.com.key

Create Certificate Signing Request (CSR)

Generate a Certificate Signing Request with your organization details:

openssl req -new -sha256 -key yourdomain.com.key \
  -subj "/C=NL/ST=Noord Holland/L=Amsterdam/O=Your Organization/OU=IT Department/CN=yourdomain.com/emailAddress=admin@yourdomain.com" \
  -out yourdomain.com.csr

CSR Parameters Explanation

• C=NL - Country (2-letter code)
• ST=Noord Holland - State or Province
• L=Amsterdam - City or Locality
• O=Your Organization - Organization name
• OU=IT Department - Organizational Unit
• CN=yourdomain.com - Common Name (your domain)
• emailAddress=admin@yourdomain.com - Contact email

Note

Customize Your Information Replace the example values with your actual organization details and domain name.

Create Certificate Configuration File

Create a configuration file to include Subject Alternative Names (SAN) for wildcard support:

cat > yourdomain.com.conf << EOF
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no

[req_distinguished_name]
C = NL
ST = Noord Holland
L = Amsterdam
O = Your Organization
OU = IT Department
CN = yourdomain.com
emailAddress = admin@yourdomain.com

[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1 = yourdomain.com
DNS.2 = *.yourdomain.com
EOF

Generate Self-Signed Certificate

Create the self-signed certificate valid for 365 days:

openssl x509 -req -in yourdomain.com.csr \
  -signkey yourdomain.com.key \
  -out yourdomain.com.crt \
  -days 365 \
  -extensions v3_req \
  -extfile yourdomain.com.conf

Alternative: Generate Key and Certificate in One Step

You can also generate both the key and certificate simultaneously:

openssl req -x509 -newkey rsa:2048 -keyout yourdomain.com.key -out yourdomain.com.crt \
  -days 365 -nodes \
  -config yourdomain.com.conf

The -nodes option creates an unencrypted private key (no passphrase required).

Combine Certificate Files

Surfly requires the private key and certificate to be combined in a single PEM file:

cat yourdomain.com.key yourdomain.com.crt > yourdomain.com.pem

Verify Combined Certificate

Check that the combined file contains both the private key and certificate:

# Should show "RSA PRIVATE KEY"
grep -A 1 "BEGIN RSA PRIVATE KEY" yourdomain.com.pem

# Should show "CERTIFICATE"
grep -A 1 "BEGIN CERTIFICATE" yourdomain.com.pem

Install Certificate

Copy the certificate to your Surfly installation directory:

# Create certificates directory if it doesn't exist
mkdir -p ~/surfly/certs/

# Copy the combined certificate
cp yourdomain.com.pem ~/surfly/certs/

# Set appropriate permissions
chmod 600 ~/surfly/certs/yourdomain.com.pem
chown client:client ~/surfly/certs/yourdomain.com.pem

Set Up Certificate Authority (Optional)

For better browser compatibility in development environments, you can create your own Certificate Authority and install it as trusted:

Create CA Private Key

openssl genrsa -out ca.key 4096

Create CA Certificate

openssl req -x509 -new -nodes -key ca.key -days 3650 -out ca.crt \
  -subj "/C=NL/ST=Noord Holland/L=Amsterdam/O=Your Organization CA/CN=Your Organization Root CA"

Sign Your Certificate with CA

openssl x509 -req -in yourdomain.com.csr -CA ca.crt -CAkey ca.key \
  -CAcreateserial -out yourdomain.com.crt -days 365 \
  -extensions v3_req -extfile yourdomain.com.conf

Install CA in System Trust Store

Copy your root CA certificate to the Surfly trust directory:

mkdir -p ~/surfly/ca_trust/
cp ca.crt ~/surfly/ca_trust/

Verify Certificate

Check your certificate details:

# View certificate information
openssl x509 -in yourdomain.com.crt -text -noout

# Verify certificate against private key
openssl x509 -noout -modulus -in yourdomain.com.crt | openssl md5
openssl rsa -noout -modulus -in yourdomain.com.key | openssl md5

Both commands should return the same hash value, confirming the certificate matches the private key.

Tip

Moving to Production When ready for production deployment, replace self-signed certificates with certificates from a trusted Certificate Authority or use Let’s Encrypt for free certificates.