How to generate a Self Signed SSL Certificate for lighttpd

Support this website by purchasing prints of my photographs! Check them out here.

For my NeoInvoice project, some of my users wanted a secure connection to the website. But, it's still in beta stages and I'm not charging, and I didn't want to spend too much money. So, generating a self signed SSL certificate seemed like the best solution. A (free) self signed certificate is just as encrypted as a (paid) certificate generated by a browser-trusted root authority. However, the clients browser will complain (since they don't acknowledge the entity which generated the certificate). For this reason, you don't want to use a self signed certificate for a production website as the browser messages will scare away customers. Here's what the info dialog shows in Chrome:

Chrome Root Certificate Not Trusted
Chrome Root Certificate Not Trusted

Anyway, here's how you generate the certificate. There are basically three steps, the first is to generate the certificate, then to tell lighttpd where the certificate is, and finally restart lighttpd.

Generating Certificate

When generating a certificate, it doesn't really matter where you put it. The certificate itself is a file which is a few kilobytes in size. You don't, however, want to put the certificate somewhere that you'll forget it. For this reason it's a good idea to put the certificate in the lighttpd server directory. If you have several websites running on your server and would like to use the certificate with more than one, you'll want to make a folder for all of them (so that things don't get messy).

cd /etc/lighttpd/
sudo mkdir certificates; cd certificates
sudo openssl req -new -x509 -keyout domainname.pem -out domainname.pem -days 365 -nodes
sudo chown www-data:www-data domainname.pem
sudo chmod 0600 domainname.pem

Configure lighttpd

Now that you've got a certificate, we'll want to tell lighttpd to enable SSL support and to use the certificate file.

sudo lighty-enable-mod ssl
cd /etc/lighttpd/conf-enabled/
sudo nano 10-ssl.conf

Once you're in the file, you'll add the lines pointing to the certificate file and setting the document root.

$SERVER["socket"] == "0.0.0.0:443" {
    ssl.engine  = "enable"
    ssl.pemfile = "/etc/lighttpd/domainname.pem"
    server.document-root = "/var/www"
}

Restart lighttpd

Now that we've got that out of the way, all we need to do is restart lighttpd. If you get any errors when it attempts to start the server again, check your files for syntax errros. If everything goes horribly wrong, just revert your changes to the 10-ssl.conf file.

sudo service lighttpd restart
Thomas Hunter II Avatar

Thomas has contributed to dozens of enterprise Node.js services and has worked for a company dedicated to securing Node.js. He has spoken at several conferences on Node.js and JavaScript and is an O'Reilly published author.