SSL certificates are used to facilitate authentication and encryption on the internet. Normally, these certificates are issued by trusted third-party certificate authorities such as Let’s Encrypt. A self-signed certificate is one that is obtained without going through any third-party certificate authority.
TLS/SSL is a combination of a public certificate and a private key. The private key is stored securely on the server or on the load balancer, whereas the certificate is publicly accessible.
In this tutorial, we explain how to create a self-signed SSL certificate by using the OpenSSL tool.
A Linux machine and a user with sudo privileges.
OpenSSL is available by default on all major Linux distributions. Run the command below to confirm if OpenSSL is already installed on your Linux machine.
$ openssl version
If you do not see an output showing OpenSSL version details, then run the next command to install OpenSSL.
On Ubuntu and Debian based distributions:
$ sudo apt install openssl
On Red Hat based distributions:
$ sudo dnf install openssl
$ sudo yum install openssl
The openssl command syntax is:
openssl command options arguments
Create a Self-signed SSL Certificate with OpenSSL
After confirming that the OpenSSL tool is installed on your Linux machine, you may proceed to create your self-signed certificate.
CSR information is required to generate a private key. As we are generating a self-signed certificate it's not really required to output a CSR file, as it's only required if you are sending CSR information to a third-party certificate authority.
To create a self-signed SSL certificate, type:
$ sudo openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout my_key.key -out my_cert.crt
This creates a self-signed certificate that will be valid for 365 days. The certificate and the key file will be created in the current directory unless another directory is explicitly specified.
Here is what each option denotes:
- req - Make a certificate signing request
- -newkey rsa:4096 - This creates a 4096 bit long RSA key. If not specified, it will create a 2048 bit long key by default
- -keyout - Private key file name where the key will be stored
- -out - Indicates file name to store the new certificate
- -nodes - Skip the step to create the certificate with a passphrase
- -x509 - Create an X.509 format certificate
- -days - The number of days the certificate is valid
C= - Country name. (two-letter code).
ST= - State or Province name.
L= - Locality Name.
O= - The full name of your organization.
OU= - Organizational unit name.
CN= - The fully qualified domain name.
Create a Self-signed certificate using an existing private key and CSR
In some situations where you have an existing private key and csr, the following steps will suffice.
Create OpenSSL private key
First, run the command below to create and save your private key. This private key is required to sign your SSL certificate. You can change my_key in the command below to your own value.
$ sudo openssl genrsa -out my_key.key
Here is what the options mean.
- genrsa Generate an RSA private key
- -out Output file
Except you specified another location, your private key will be stored in the current working directory.
Create a certificate signing request
The next step is to create a Certificate Signing Request (CSR). The CSR is what you would normally send to a third-party certificate authority for signing. But in this case, you are going to sign it by yourself.
When creating a CSR, you would be asked to provide some information. Some fields may be left blank by pressing the enter key.
Now, run the command below to start creating your CSR.
$ sudo openssl req -new -key my_key.key -out my_csr.csr
Here is what each option denotes.
- req Make a certificate signing request
- -new New request
- -key The path where your private key file is stored
- -out Output file
The image below depicts what the CSR creation process looks like.
Sign your certificate by yourself
When you run the command below, a self-signed certificate which will be valid for 365 days would be created.
$ openssl x509 -req -days 365 -in my_csr.csr -signkey my_key.key -out my_cert.crt
Below is what the options mean.
- x509 International standard for creating and verifying public key certificates
- -req Make a certificate request
- -days How many days the certificate should be valid for
- -in The path where your csr file is stored
- --signkey The path where your private key is stored
- -out Output file for your self-signed certificate
Verify the certificate
You may check the certificate details in text format with the command below.
$ openssl x509 -text -noout -in my_cert.crt
In this tutorial, we described how to create a self-signed SSL certificate by using the openssl tool. Given that major browsers do not trust self-signed certificates, it is recommended that you only use it internally or for testing purposes.