Posted on May 15, 2023 by darshin
This article explains how to create a self-signed SSL Certificate using the openssl
tool.
What is a Self-Signed SSL Certificate?
A self-signed SSL certificate is a certificate that is signed by the person who created it rather than a trusted certificate authority. Self-signed certificates can have the same level of encryption as the trusted CA-signed SSL certificate.
Web browsers do not recognize the self-signed certificates as valid. When using a self-signed certificate, the web browser shows a warning to the visitor that the web site certificate cannot be verified.
Typically, the self-signed certificates are used for testing purposes or internal usage. You should not use a self-signed certificate in production systems that are exposed to the Internet.
Prerequisites
The OpenSSL toolkit is required to generate a self-signed certificate.
To check whether the openssl
package is installed on your Linux system, open your terminal, type openssl version
, and press Enter. If the package is installed, the system will print the OpenSSL version, otherwise you will see something like openssl command not found
.
If the openssl package is not installed on your system, you can install it with your distribution’s package manager:
-
Ubuntu and Debian
sudo apt install openssl
-
Centos and Fedora
sudo yum install openssl
Creating Self-Signed SSL Certificate
To create a new Self-Signed SSL Certificate, use the openssl req
command:
openssl req -newkey rsa:4096 \ -x509 \ -sha256 \ -days 3650 \ -nodes \ -out example.crt \ -keyout example.key
Let’s breakdown the command and understand what each option means:
-
-newkey rsa:4096
– Creates a new certificate request and 4096 bit RSA key. The default one is 2048 bits. -
-x509
– Creates a X.509 Certificate. -
-sha256
– Use 265-bit SHA (Secure Hash Algorithm). -
-days 3650
– The number of days to certify the certificate for. 3650 is ten years. You can use any positive integer. -
-nodes
– Creates a key without a passphrase. -
-out example.crt
– Specifies the filename to write the newly created certificate to. You can specify any file name. -
-keyout example.key
– Specifies the filename to write the newly created private key to. You can specify any file name.
For more information about the openssl req
command options, visit the OpenSSL re q documentation page.
Once you hit Enter, the command will generate the private key and ask you a series of questions. The information you provided is used to generate the certificate.
Generating a RSA private key ......................................................................++++ ........++++ writing new private key to 'example.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. -----
Enter the information requested and press Enter
.
Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Alabama Locality Name (eg, city) []:Montgomery Organization Name (eg, company) [Internet Widgits Pty Ltd]:nexonhost Organizational Unit Name (eg, section) []:Marketing Common Name (e.g. server FQDN or YOUR name) []:nexonhost.com Email Address []:hello@nexonhost.com
The certificate and private key will be created at the specified location. Use the ls command to verify that the files were created:
ls
example.crt example.key
That’s it! You have generated a new self-signed SSL certificate.
It is always a good idea to back up your new certificate and key to external storage.
Creating Self-Signed SSL Certificate without Prompt
If you want to generate a self-signed SSL certificate without being prompted for any question use the -subj
option and specify all the subject information:
AD
openssl req -newkey rsa:4096 \ -x509 \ -sha256 \ -days 3650 \ -nodes \ -out example.crt \ -keyout example.key \ -subj "/C=SI/ST=Ljubljana/L=Ljubljana/O=Security/OU=IT Department/CN=www.example.com"
Generating a RSA private key ......................................................................++++ ........++++ writing new private key to 'example.key' -----
The fields, specified in -subj
line are listed below:
-
C=
– Country name. The two-letter ISO abbreviation. -
ST=
– State or Province name. -
L=
– Locality Name. The name of the city where you are located. -
O=
– The full name of your organization. -
OU=
– Organizational Unit. -
CN=
– The fully qualified domain name.
Conclusion
In this guide, we have shown you how to generate a self-signed SSL certificate using the openssl tool. Now that you have the certificate, you can configure your application to use it.
Leave A Comment
What’s happening in your mind about this post !