Create Self Signed SSL Certficate to secure your HTPC

It is always a good idea to put some encryption between any connections to your HTPC. If someone had a good idea to sniff your connection while you connect threw HTTP or FTP, or any other protocol via your HTPC, he could access some sensible data as your password unencrypted. So here is how-to create a certificate that almost unbreakable via brute force. It encrypt any data thay comes in or comes out of connection and make it unreadable to anyone who is viewing your connection such as you ISP.

Create a SSL Certificate in UBUNTU / XBMCbuntu

  1. Install openssl :
    sudo apt-get install openssl
  2. Change the umask to be sure any created files cannot be read by any other users:
    umask 077
  3. create folder:
    sudo mkdir -p /etc/ssl/custom/
  4. Generate a 2048 bit key valid for 1 year:
    sudo openssl req -newkey rsa:2048 -nodes -days 365 -x509 -keyout /etc/ssl/custom/server.key -out /etc/ssl/custom/server.crt
    You will be prompt for several questions. The important information will be the common name where it should be your domain name if you have one. Once you answer all the questions, it will output 2 files: server.key and server.crt
    Please note the use of the -nodes arguement. Thats means your private key won’t be encrypted. You have to pay extra attention to who can read this file. If someone steal this key, your encryption could be decrypted. If you remove the -nodes argument, you will be ask to enter a passphrase. This passphrase will be ask each time you restart apache or any other software that support it. Encrypted private key will be a bit more secure, but for an HTPC it might be overkill for what it involve.

    Generating a 2048 bit RSA private key
    writing new private key to 'server.key'
    You are about to be asked to enter information 
    that will be incorporated into your certificate request.
    What you are about to enter is what is called a 
    Distinguished Name or a DN. There are quite a few 
    fields but you can leave some blank For some fields 
    there will be a default value, If you enter '.', 
    the field will be left blank.
    Country Name (2 letter code) [AU]:US
    State or Province Name (full name) [Some-State]:California
    Locality Name (eg, city) []:San Francisco
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:
    Organizational Unit Name (eg, section) []:Exemple Inc.
    Common Name (e.g. server FQDN or YOUR name) []
    Email Address []
  5. Combine both file into one pem file:
    sudo cat /etc/ssl/custom/server.crt /etc/ssl/custom/server.key | sudo tee /etc/ssl/custom/server.pem

Protect your files:

Be sure you have good permission on your files and remember be careful no other user can read those. A good practice would be the set the owner to root and create use the ssl-cert group.

  1. Create ssl-group (should be already created, but in case):
    sudo addgroup ssl-cert
  2. Add the user that runs apache, vsftpd or any other software that use these keys:
    sudo adduser user01 ssl-cert
  3. Change owners to everything inside our folder:
    sudo chown root:ssl-cert -R /etc/ssl/custom/
  4. Change permissions:
    sudo chmod 640 -R /etc/ssl/custom/