How to Create a Self-Signed SSL Certificate with OpenSSL

A self-signed SSL certificate is an identity certificate signed by its own creator rather than a trusted certificate authority (CA). Self-signed certificates provide the same level of encryption as CA-signed certificates, but browsers will display a security warning because the certificate chain cannot be verified.

Self-signed certificates are commonly used for development, testing, and internal services. For production systems exposed to the Internet, use a certificate from a trusted CA such as Let’s Encrypt .

This guide explains how to create a self-signed SSL certificate on Linux using the openssl command-line tool.

For a broader command reference covering keys, CSRs, certificate inspection, format conversion, and live TLS testing, see our OpenSSL guide .

Prerequisites #

The OpenSSL toolkit is required to generate a self-signed certificate.

To check whether the openssl package is installed on your Linux system, open your terminal, type openssl version, and press Enter. If the package is installed, the system will print the OpenSSL version, otherwise you will see something like openssl command not found.

If the openssl package is not installed on your system, you can install it with your distribution’s package manager:

• Ubuntu, Debian, and Derivatives

  Terminal

  sudo apt install openssl

• Fedora, RHEL, and Derivatives

  Terminal

  sudo dnf install openssl

Creating a Self-Signed SSL Certificate #

To create a new self-signed SSL certificate, use the openssl req command:

openssl req -newkey rsa:4096 \
            -x509 \
            -sha256 \
            -days 3650 \
            -nodes \
            -out example.crt \
            -keyout example.key

Here is what each option means:

• -newkey rsa:4096 — Creates a new certificate request and 4096 bit RSA key. The default is 2048 bits.
• -x509 — Creates a X.509 certificate.
• -sha256 — Use 256-bit SHA (Secure Hash Algorithm).
• -days 3650 — The number of days to certify the certificate for. 3650 is ten years. You can use any positive integer.
• -nodes — Creates a key without a passphrase. In OpenSSL 3.x, the equivalent option is -noenc.
• -out example.crt — Specifies the filename to write the newly created certificate to. You can specify any file name.
• -keyout example.key — Specifies the filename to write the newly created private key to. You can specify any file name.

For more information about the openssl req command options, visit the OpenSSL req documentation page .

Once you run the command, it will generate the private key and ask you a series of questions. The information you provide is used to generate the certificate.

Generating a RSA private key
......................................................................++++
........++++
writing new private key to 'example.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----

Enter the information requested and press Enter:

Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Alabama
Locality Name (eg, city) []:Montgomery
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Linuxize
Organizational Unit Name (eg, section) []:Marketing
Common Name (e.g. server FQDN or YOUR name) []:linuxize.com
Email Address []:hello@linuxize.com

The certificate and private key will be created at the specified location. Use the ls command to verify that the files were created:

ls

example.crt example.key

That is it. You have generated a new self-signed SSL certificate.

It is always a good idea to back up your new certificate and key to external storage.

Creating a Self-Signed SSL Certificate without Prompt #

If you want to generate a self-signed SSL certificate without being prompted for any question, use the -subj option and specify all the subject information:

openssl req -newkey rsa:4096 \
            -x509 \
            -sha256 \
            -days 3650 \
            -nodes \
            -out example.crt \
            -keyout example.key \
            -subj "/C=SI/ST=Ljubljana/L=Ljubljana/O=Security/OU=IT Department/CN=www.example.com"

Generating a RSA private key
......................................................................++++
........++++
writing new private key to 'example.key'
-----

The fields specified in the -subj line are listed below:

• C= — Country name. The two-letter ISO abbreviation.
• ST= — State or Province name.
• L= — Locality Name. The name of the city where you are located.
• O= — The full name of your organization.
• OU= — Organizational Unit.
• CN= — The fully qualified domain name.

Creating a Certificate with Subject Alternative Name (SAN) #

Modern browsers and applications require the Subject Alternative Name (SAN) extension for hostname validation. Certificates that rely only on the Common Name (CN) field will trigger warnings in most clients.

To include SAN entries, pass an -addext option:

openssl req -newkey rsa:4096 \
            -x509 \
            -sha256 \
            -days 3650 \
            -nodes \
            -out example.crt \
            -keyout example.key \
            -subj "/C=US/ST=Alabama/L=Montgomery/O=MyOrg/CN=example.com" \
            -addext "subjectAltName=DNS:example.com,DNS:www.example.com,IP:10.0.0.1"

The -addext option is available in OpenSSL 1.1.1 and later. You can specify multiple DNS names and IP addresses separated by commas.

Generating an ECDSA Certificate #

If you prefer a smaller key size and faster TLS handshakes, you can generate an ECDSA certificate instead of RSA:

openssl req -new \
            -x509 \
            -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 \
            -sha256 \
            -days 3650 \
            -nodes \
            -out example.crt \
            -keyout example.key \
            -subj "/C=US/ST=Alabama/L=Montgomery/O=MyOrg/CN=example.com" \
            -addext "subjectAltName=DNS:example.com,DNS:www.example.com"

The prime256v1 curve (also known as P-256) is widely supported and provides security equivalent to a 3072-bit RSA key.

Verifying the Certificate #

To view the details of your generated certificate, use the openssl x509 command:

openssl x509 -in example.crt -text -noout

The output displays the issuer, subject, validity period, public key type, and any extensions including the Subject Alternative Name.

To verify that the certificate and private key match, compare their modulus hashes:

openssl x509 -in example.crt -noout -modulus | openssl md5
openssl rsa -in example.key -noout -modulus | openssl md5

If both commands produce the same MD5 hash, the certificate and key are a matching pair.

Conclusion #

You now have a self-signed SSL certificate ready for development or internal use. To put it into production behind a web server, see our guides on configuring SSL with Nginx or Apache .

About the authors

Dejan Panovski

Dejan Panovski is the founder of Linuxize, an RHCSA-certified Linux system administrator and DevOps engineer based in Skopje, Macedonia. Author of 800+ Linux tutorials with 20+ years of experience turning complex Linux tasks into clear, reliable guides.

View author page