How to Create a Self-Signed SSL Certificate

SSL certificates are used to facilitate authentication and encryption on the internet. Normally, these certificates are issued by trusted third-party certificate authorities such as Let’s Encrypt. A self-signed certificate is one that is obtained without going through any third-party certificate authority.

TLS/SSL is a combination of a public certificate and a private key. The private key is stored securely on the server or on the load balancer, whereas the certificate is publicly accessible.

In this tutorial, we explain how to create a self-signed SSL certificate by using the OpenSSL tool.


A Linux machine and a user with sudo privileges.

Install OpenSSL

OpenSSL is available by default on all major Linux distributions. Run the command below to confirm if OpenSSL is already installed on your Linux machine.

$ openssl version
Check if OpenSSL is installed
Check if OpenSSL is installed

If you do not see an output showing OpenSSL version details, then run the next command to install OpenSSL.

On Ubuntu and Debian based distributions:

$ sudo apt install openssl

On Red Hat based distributions:

$ sudo dnf install openssl
$ sudo yum install openssl

The openssl command syntax is:

openssl command options arguments 

Create a Self-signed SSL Certificate with OpenSSL

After confirming that the OpenSSL tool is installed on your Linux machine, you may proceed to create your self-signed certificate.

CSR information is required to generate a private key. As we are generating a self-signed certificate it's not really required to output a CSR file, as it's only required if you are sending CSR information to a third-party certificate authority.

To create a self-signed SSL certificate, type:

$ sudo openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout my_key.key -out my_cert.crt

This creates a self-signed certificate that will be valid for 365 days. The certificate and the key file will be created in the current directory unless another directory is explicitly specified.

Here is what each option denotes:

  • req  - Make a certificate signing request
  • -newkey  rsa:4096 - This creates a 4096 bit long RSA key. If not specified, it will create a 2048 bit long key by default
  • -keyout  - Private key file name where the key will be stored
  • -out   - Indicates file name to store the new certificate
  • -nodes - Skip the step to create the certificate with a passphrase
  • -x509 - Create an X.509 format certificate
  • -days - The number of days the certificate is valid

CSR Fields:

C= - Country name. (two-letter code).
ST= - State or Province name.
L= - Locality Name.
O= - The full name of your organization.
OU= - Organizational unit name.
CN= - The fully qualified domain name.

Create a Self-signed certificate using an existing private key and CSR

In some situations where you have an existing private key and csr, the following steps will suffice.

Create OpenSSL private key

First, run the command below to create and save your private key. This private key is required to sign your SSL certificate. You can change my_key in the command below to your own value.

$ sudo openssl genrsa -out my_key.key

Here is what the options mean.

  • genrsa  Generate an RSA private key
  • -out  Output file

Except you specified another location, your private key will be stored in the current working directory.

Create a certificate signing request

The next step is to create a Certificate Signing Request (CSR). The CSR is what you would normally send to a third-party certificate authority for signing. But in this case, you are going to sign it by yourself.

When creating a CSR, you would be asked to provide some information. Some fields may be left blank by pressing the enter key.

Now, run the command below to start creating your CSR.

$ sudo openssl req -new -key my_key.key -out my_csr.csr

Here is what each option denotes.

  • req  Make a certificate signing request
  • -new  New request
  • -key  The path where your private key file is stored
  • -out   Output file

The image below depicts what the CSR creation process looks like.

Create a certificate signing request
Create a certificate signing request

Sign your certificate by yourself

When you run the command below, a self-signed certificate which will be valid for 365 days would be created.

$ openssl x509 -req -days 365 -in my_csr.csr -signkey my_key.key -out my_cert.crt

Below is what the options mean.

  • x509  International standard for creating and verifying public key certificates
  • -req   Make a certificate request
  • -days  How many days the certificate should be valid for
  • -in  The path where your csr file is stored
  • --signkey  The path where your private key is stored
  • -out  Output file for your self-signed certificate

Verify the certificate

You may check the certificate details in text format with the command below.

$ openssl x509 -text -noout -in my_cert.crt
View SSL certificate details
View SSL certificate details


In this tutorial, we described how to create a self-signed SSL certificate by using the openssl tool. Given that major browsers do not trust self-signed certificates, it is recommended that you only use it internally or for testing purposes.

Leave a Comment