How to create a Self-Signed SSL Certificate.

How To Create A Self-Signed SSL Certificate.

This article explains how to create a self-signed SSL Certificate using the openssl tool.


What is a Self-Signed SSL Certificate?

A self-signed SSL certificate is a certificate that is signed by the person who created it rather than a trusted certificate authority. Self-signed certificates can have the same level of encryption as the trusted CA-signed SSL certificate.

Web browsers do not recognize the self-signed certificates as valid. When using a self-signed certificate, the web browser shows a warning to the visitor that the web site certificate cannot be verified.

Typically, the self-signed certificates are used for testing purposes or internal usage. You should not use a self-signed certificate in production systems that are exposed to the Internet.



The OpenSSL toolkit is required to generate a self-signed certificate.

To check whether the openssl package is installed on your Linux system, open your terminal, type openssl version, and press Enter. If the package is installed, the system will print the OpenSSL version, otherwise you will see something like openssl command not found.

If the openssl package is not installed on your system, you can install it with your distribution’s package manager:

  • Ubuntu and Debian

    sudo apt install openssl
  • Centos and Fedora

    sudo yum install openssl


Creating Self-Signed SSL Certificate

To create a new Self-Signed SSL Certificate, use the openssl req command:

openssl req -newkey rsa:4096 \
            -x509 \
            -sha256 \
            -days 3650 \
            -nodes \
            -out example.crt \
            -keyout example.key


Let’s breakdown the command and understand what each option means:

  • -newkey rsa:4096 – Creates a new certificate request and 4096 bit RSA key. The default one is 2048 bits.

  • -x509 – Creates a X.509 Certificate.

  • -sha256 – Use 265-bit SHA (Secure Hash Algorithm).

  • -days 3650 – The number of days to certify the certificate for. 3650 is ten years. You can use any positive integer.

  • -nodes – Creates a key without a passphrase.

  • -out example.crt – Specifies the filename to write the newly created certificate to. You can specify any file name.

  • -keyout example.key – Specifies the filename to write the newly created private key to. You can specify any file name.

For more information about the openssl req command options, visit the OpenSSL re q documentation page.

Once you hit Enter, the command will generate the private key and ask you a series of questions. The information you provided is used to generate the certificate.

Generating a RSA private key
writing new private key to 'example.key'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.

Enter the information requested and press Enter.

Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Alabama
Locality Name (eg, city) []:Montgomery
Organization Name (eg, company) [Internet Widgits Pty Ltd]:nexonhost
Organizational Unit Name (eg, section) []:Marketing
Common Name (e.g. server FQDN or YOUR name) []
Email Address []

The certificate and private key will be created at the specified location. Use the ls command to verify that the files were created:

example.crt example.key

That’s it! You have generated a new self-signed SSL certificate.

It is always a good idea to back up your new certificate and key to external storage.


Creating Self-Signed SSL Certificate without Prompt

If you want to generate a self-signed SSL certificate without being prompted for any question use the -subj option and specify all the subject information:



openssl req -newkey rsa:4096 \
            -x509 \
            -sha256 \
            -days 3650 \
            -nodes \
            -out example.crt \
            -keyout example.key \
            -subj "/C=SI/ST=Ljubljana/L=Ljubljana/O=Security/OU=IT Department/"


Generating a RSA private key
writing new private key to 'example.key'

The fields, specified in -subj line are listed below:

  • C= – Country name. The two-letter ISO abbreviation.

  • ST= – State or Province name.

  • L= – Locality Name. The name of the city where you are located.

  • O= – The full name of your organization.

  • OU= – Organizational Unit.

  • CN= – The fully qualified domain name.



In this guide, we have shown you how to generate a self-signed SSL certificate using the openssl tool. Now that you have the certificate, you can configure your application to use it.