If you’re logging into a website or posting to the web unencrypted, you’re doing it wrong. I use WordPress and it’s pretty secure, but there’s nothing they can do about unencrypted traffic between your browser and the server.1 WordPress has a feature to force encrypted logins and administration pages, but that’s not going to do you much good if you don’t have a SSL certificate.

Self-signed certificates can be perfectly safe, but there are a couple things you should know.

  1. Don’t let anybody get your key file. With it, anybody can download your certificate and serve it on their website.
  2. Listen to the warnings your browser tells you about. Know that your self-signed certificate may generate warnings and that the only thing companies like Verisign do is verify the certificate is unique and was generated by a known good source.
  3. You probably want to avoid serving self-signed certificates on sites meant for pulic consumption because of the errors mentioned above. I’m going to offer an exception to this here, but keep the error messages in mind.

Since you are the only one logging into your WordPress site, you don’t have to worry about scaring away readers with a self-signed SSL certificate. If you’re running an e-commerce site, you’re going to want to go ahead and pay for a certificate that’s not going to generate warnings. It’s possible to tell your browser to ignore the warnings, but you’ll still scare away most potential customers.

Generate the Certificate

The first thing we need to do is generate a server key. From there we’ll generate the certifiate signing request and then the certificate. Last, we’ll need to generate a version of the key that doesn’t require a password or you’ll have to enter the password on the console every time Apache restarts.2

openssl genrsa -des3 -out server.key 4096
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
openssl rsa -in server.key -out server.key.insecure
mv server.key server.key.secure
mv server.key.insecure server.key

As I’ve mentioned already, make sure you guard server.key with your life. Ideally you would’ve used a secure password to protect the key at the beginning, so server.key.secure should be safe, but guard that too. You’ll want to make sure you get a copy of server.crt on your local machine. If you’re on a Mac, you can add it the the Keychain so you won’t be bugged every time you visit the site with your self-signed certificate.

Installing the Certificate

In this case, I’m going to install the certificate on an Ubuntu server running Apache, but the process will be similar for any Unix environment. Assuming you already have Apache running, we’re going to move the key and the certificate to the place where they’ll be served from, and enable mod_ssl.

cp server.key /etc/apache2/ssl
cp server.crt /etc/apache2/ssl
a2enmod ssl

Then we’ll need to configure the virtual host. Look in /etc/apache2/sites-available for default-ssl. There you’ll need to configure the host just as you did when you initially set up the server, being sure to change the DocumentRoot and Directory from /var/www if need be. Then, enable the virtual host and restart Apache.

a2ensite default-ssl
service apache2 restart

If everything was configured correctly, you should now be able to visit your site with the https protocol.

WordPress

On a WordPress site, you can force SSL logins and administration by adding the following lines to your wp-config file.

define('FORCE_SSL_LOGIN', true);
define('FORCE_SSL_ADMIN', true);

Update

It has been pointed out by a few people that training people to ignore security warnings isn’t the right approach. I never meant to suggest training people to ignore the warnings. If you’re going to self-sign an SSL certificate for your website, you have to install the certificate locally or you’ll have no way to verify that you’re actually connected to the right host and not a victim of a man-in-the-middle attack.

Resources


  1. I’m not talking about WordPress.com blogs here. If your site is hosted on WordPress.com, they’ve obviously taken care of all this already. ↩
  2. I’ve been there. It’s not fun. Even a little. ↩