Creating a Self-Signed SSL Certificate

Posted 

4 min read

This article explains how to create a self-signed SSL Certificate using the openssl tool.

What is a Self-Signed SSL Certificate?

A self-signed SSL certificate is a certificate that is signed by the person who created it rather than a trusted certificate authority. Self-signed certificates can have the same level of encryption as the trusted CA-signed SSL certificate.

Self-signed certificates as recognized as valid by any browser. If you are using a self-signed certificate, the web browser will show a warning to the visitor that the web site certificate cannot be verified.

The self-signed certificates are mostly used for testing purposes or internal usage. You should not use a self-signed certificate in production systems that are exposed to the Internet.

Prerequisites

The openssl toolkit is required to generate a self-signed certificate.

To check whether the openssl package is installed on your Linux system, open your terminal, type openssl version, and press Enter. If the package is installed the system will print the OpenSSL version, otherwise you will see something like openssl command not found.

If the openssl package is not installed on your system, you can install it by running the following command:

  • Ubuntu and Debian

    sudo apt install openssl
  • Centos and Fedora

    sudo yum install openssl

Creating Self-Signed SSL Certificate

To create a new Self-Signed SSL Certificate use the openssl req command:

openssl req -newkey rsa:4096 \
            -x509 \
            -sha256 \
            -days 3650 \
            -nodes \
            -out example.crt \
            -keyout example.key

Let’s breakdown the command and understand what each option means:

  • -newkey rsa:4096 - Creates a new certificate request and 4096 bit RSA key. The default one is 2048 bits.
  • -x509 - Creates a X.509 Certificate.
  • -sha256 - Use 265-bit SHA (Secure Hash Algorithm).
  • -days 3650 - The number of days to certify the certificate for. 3650 is 10 years. You can use any positive integer.
  • -nodes - Creates a key without a passphrase.
  • -out example.crt - Specifies the filename to write the newly created certificate to. You can specify any file name.
  • -keyout example.key - Specifies the filename to write the newly created private key to. You can specify any file name.

For more information about the openssl req command options visit the OpenSSL req documentation page.

Once you hit Enter the command will generate the private key and ask you a series of questions that it will use to generate the certificate.

Generating a RSA private key
......................................................................++++
........++++
writing new private key to 'example.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----

Enter the information requested and press Enter.

Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Alabama
Locality Name (eg, city) []:Montgomery
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Linuxize
Organizational Unit Name (eg, section) []:Marketing
Common Name (e.g. server FQDN or YOUR name) []:linuxize.com
Email Address []:hello@linuxize.com

The certificate and private key will be created at the specified location. Use the ls command to verify that the files were created:

ls
example.crt example.key

That’s it! You have generated, a new self-signed SSL certificate.

It is always a good idea to back up your new certificate and key to external storage.

Creating Self-Signed SSL Certificate without Prompt

If you want to generate a self-signed SSL certificate without being prompted for any question use the -subj option and specify all the subject information:

openssl req -newkey rsa:4096 \
            -x509 \
            -sha256 \
            -days 3650 \
            -nodes \
            -out example.crt \
            -keyout example.key \
            -subj "/C=SI/ST=Ljubljana/L=Ljubljana/O=Security/OU=IT Department/CN=www.example.com"
Generating a RSA private key
......................................................................++++
........++++
writing new private key to 'example.key'
-----

The fields, specified in -subj line are listed below:

  • C= - Country name. The two-letter ISO abbreviation.
  • ST= - State or Province name.
  • L= - Locality Name. The name of the city where you are located.
  • O= - The full name of your organization.
  • OU= - Organizational Unit.
  • CN= - The fully qualified domain name.

Conclusion

In this guide, we have shown you how to generate a self-signed SSL certificate using the openssl tool. Now that you have the certificate, you can configure your application to use it.

Feel free to leave a comment if you have any questions.