How To Create A Self-Signed SSL Certificate.
This article explains how to create a self-signed SSL Certificate using the openssl tool.
What is a Self-Signed SSL Certificate?
A self-signed SSL certificate is a certificate that is signed by the person who created it rather than a trusted certificate authority. Self-signed certificates can have the same level of encryption as the trusted CA-signed SSL certificate.
Web browsers do not recognize the self-signed certificates as valid. When using a self-signed certificate, the web browser shows a warning to the visitor that the web site certificate cannot be verified.
Typically, the self-signed certificates are used for testing purposes or internal usage. You should not use a self-signed certificate in production systems that are exposed to the Internet.
The OpenSSL toolkit is required to generate a self-signed certificate.
To check whether the openssl package is installed on your Linux system, open your terminal, type openssl version, and press Enter. If the package is installed, the system will print the OpenSSL version, otherwise you will see something like openssl command not found.
If the openssl package is not installed on your system, you can install it with your distribution’s package manager:
Ubuntu and Debian
Centos and Fedora
Creating Self-Signed SSL Certificate
To create a new Self-Signed SSL Certificate, use the openssl req command:
Let’s breakdown the command and understand what each option means:
-newkey rsa:4096 – Creates a new certificate request and 4096 bit RSA key. The default one is 2048 bits.
-x509 – Creates a X.509 Certificate.
-sha256 – Use 265-bit SHA (Secure Hash Algorithm).
-days 3650 – The number of days to certify the certificate for. 3650 is ten years. You can use any positive integer.
-nodes – Creates a key without a passphrase.
-out example.crt – Specifies the filename to write the newly created certificate to. You can specify any file name.
-keyout example.key – Specifies the filename to write the newly created private key to. You can specify any file name.
For more information about the openssl req command options, visit the OpenSSL re q documentation page.
Once you hit Enter, the command will generate the private key and ask you a series of questions. The information you provided is used to generate the certificate.
Enter the information requested and press Enter.
The certificate and private key will be created at the specified location. Use the ls command to verify that the files were created:
That’s it! You have generated a new self-signed SSL certificate.
It is always a good idea to back up your new certificate and key to external storage.
Creating Self-Signed SSL Certificate without Prompt
If you want to generate a self-signed SSL certificate without being prompted for any question use the -subj option and specify all the subject information:
The fields, specified in -subj line are listed below:
C= – Country name. The two-letter ISO abbreviation.
ST= – State or Province name.
L= – Locality Name. The name of the city where you are located.
O= – The full name of your organization.
OU= – Organizational Unit.
CN= – The fully qualified domain name.
In this guide, we have shown you how to generate a self-signed SSL certificate using the openssl tool. Now that you have the certificate, you can configure your application to use it.