To use valid SSL certificates you do not need to buy one, you can create your own Certificate Authority (CA) or use Let’s Encrypt. Let’s Encrypt is the best choice because you do not have to install a new CA on the client side.
But if for some reason you want to create your CA, in this post I show how to do this in a simple way using easy-rsa, a script from OpenVPN.
Creating a Certificate Authority (CA)
Install easy-rsa and prepare the environment.
# apt install easy-rsa
# cp -R /usr/share/easy-rsa /easy-rsa_myCA
# cd /easy-rsa_myCA
# ./easyrsa init-pki
If you want, you can customize the CA params with:
# cp vars.example vars
and edit the vars file
And to build the CA, just run:
# ./easyrsa build-ca
Enter a password for your private key.
Common Name: write the name of your new CA.
Creating a certificate suitable for signing by your CA
Let’s create the certificate of www.yourdomain.com:
# ./easyrsa gen-req www.yourdomain.com nopass
Common Name: www.yourdomain.com
Now sign it using your new CA:
# ./easyrsa sign-req server www.yourdomain.com
With this your new certificate is signed by your CA. Just use the files pki/issued/www.yourdomain.com.crt and pki/private/www.yourdomain.com.key in your server app like Apache.
Using your new CA in Firefox
First, copy the CA public key (pki/ca.crt) to your Desktop. Them go to Preferences -> Search for certifi -> View Certificates… -> Authorities -> Import -> find your ca.crt