HTTPS Without a Certificate: Is it Possible?

G5 Cyber Security

1 month ago

TL;DR

No, you can’t have a fully functional, trusted HTTPS server without a valid server certificate issued by a Certificate Authority (CA). However, you can configure something that looks like HTTPS for testing or development purposes using self-signed certificates. This will cause browser warnings as the CA is not trusted.

Why Certificates Matter

HTTPS relies on SSL/TLS to encrypt communication between a client (like your web browser) and a server. A certificate acts like an ID card for the server, verifying its identity. When you connect to a secure website, your browser checks this certificate against a list of trusted CAs.

Steps to Configure HTTPS with a Self-Signed Certificate

Generate a Private Key and Certificate Signing Request (CSR): This is the first step. You’ll use OpenSSL for this, which is usually pre-installed on Linux/macOS systems or available for Windows.
```
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365
```
This command creates:
- key.pem: Your private key (keep this secret!).
- cert.pem: The self-signed certificate.
You’ll be prompted for information like country, organisation name etc. These aren’t critical for testing but are good practice.
Configure Your Web Server (Example: Apache): You need to tell your web server to use the key and certificate you just created. Edit your Apache virtual host configuration file (e.g., /etc/apache2/sites-available/your_site.conf).
```
<VirtualHost *:443>
    ServerName yourdomain.com
    DocumentRoot /var/www/your_site

    SSLEngine on
    SSLCertificateFile /etc/apache2/sites-available/cert.pem
    SSLCertificateKeyFile /etc/apache2/sites-available/key.pem
</VirtualHost>
```
Replace yourdomain.com and the paths to your certificate and key files with your actual values.
Enable SSL Module (Apache): Make sure the SSL module is enabled in Apache.
```
sudo a2enmod ssl
```
Restart Your Web Server: Apply the changes.
```
sudo systemctl restart apache2
```
Access Your Website: Open your website in a browser using https://yourdomain.com. You will see a warning message because the certificate is not trusted. You’ll usually need to add an exception in your browser to proceed (this varies by browser).

Important Considerations

Self-Signed Certificates are Not for Production: Browsers will display prominent security warnings, and users may be hesitant to trust your site.
Real Certificates from CAs: For a production environment, obtain a certificate from a trusted Certificate Authority (e.g., Let’s Encrypt, DigiCert, Sectigo).
Let’s Encrypt: A free, automated and open CA that provides SSL/TLS certificates. It’s an excellent option for most websites.
```
sudo apt install certbot python3-certbot-apache
```
Then run:
```
sudo certbot --apache -d yourdomain.com -d www.yourdomain.com
```