How To Create A Self-Signed SSL Certificate With OpenSSL

Mattias Geniar, Thursday, August 6, 2015 - last modified: Saturday, August 8, 2015

Creating a self-signed SSL certificate isn't difficult with OpenSSL. These kind of SSL certificates are perfect for testing, development environments or anything else that requires SSL, but that doesn't necessarily have to be a trusted SSL certificate.

If you use this in an Nginx or Apache configuration, your visitors will see a big red "Your connection is not private" warning message first, before they can browse through. This isn't for production, just for testing.

To generate a self-signed SSL certificate in a single openssl command, run the following in your terminal.

$ openssl req -x509 -sha256 -newkey rsa:2048 -keyout certificate.key -out certificate.crt -days 1024 -nodes

You'll be prompted for several questions, the only that that really matters is the Common Name question, which will be used as the hostname/dns name the self-signed SSL certificate is made for. (Although: even with a valid Common Name, it's still a self-signed SSL certificate and browsers will still find it invalid untrusted.)

Here's the output of that command.

$ openssl req -x509 -sha256 -newkey rsa:2048 -keyout certificate.key -out certificate.crt -days 1024 -nodes

Generating a 2048 bit RSA private key
writing new private key to 'certificate.key'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:BE
State or Province Name (full name) [Some-State]:Antwerp
Locality Name (eg, city) []:Antwerp
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Some Organization Ltd
Organizational Unit Name (eg, section) []:IT Department
Common Name (e.g. server FQDN or YOUR name) []: your.domain.tld
Email Address []:info@yourdomain.tld

If you don't want to fill in those questions every time, you can run a single command with the Common Name as a command line argument. It'll generate the self-signed SSL certificate for you straight away, without pestering you for questions like Country Name, Organization, ...

$ openssl req -x509 -sha256 -newkey rsa:2048 -keyout certificate.key -out certificate.crt -days 1024 -nodes -subj '/CN=my.domain.tld'

Generating a 2048 bit RSA private key
writing new private key to 'certificate.key'

The result with both openssl commands will be 2 new files in your current working directory.

$ ls -alh
-rw-r--r--   1 mattias  1.7K  certificate.crt
-rw-r--r--   1 mattias  1.6K  certificate.key

You can use the certificate.key as the key for your SSL configurations. It doesn't have a password associated with it, that's what the -nodes (No DES encryption) option was for when running the openssl command. If you want a password on your private key, remove that option and run the openssl command again.

$ cat certificate.key

The certificate.crt contains your certificate file, the "public" part of your certificate.

$ cat certificate.crt

Now you have a self-signed SSL certificate and a private key you can use for your server configurations.

Hi! My name is Mattias Geniar. I'm a Support Manager at Nucleus Hosting in Belgium, a general web geek & public speaker. Currently working on DNS Spy & Oh Dear!. Follow me on Twitter as @mattiasgeniar.

Share this post

Did you like this post? Will you help me share it on social media? Thanks!


Trouble Thursday, August 6, 2015 at 20:02 - Reply

There is nothing ‘invalid’ about self-signed certificates. The webbrowser industry just likes to confuse the terms ‘invalid’ and ‘untrusted’. (They also like to make trust decisions on behalf of users – that’s a different discussion – do you know and trust any of the organisations in the root certificate authorities distributed with your operating system? I certainly don’t).

Hopefully, as DNSSEC becomes more widely deployed (end to end!), DANE will become more useful and the silly notion of delegating trust to organisations with enough money to convince operating system vendors and browser vendors to distribute their root certificates will go away.

Are you running a validating resolver on all your machines yet? Why not?

Martin Saturday, August 8, 2015 at 19:59 - Reply

Hey – you should really add the -sha256 option as well. Even if self-signed, SHA2 is still the way to go.

openssl req -x509 -sha256 -newkey rsa:2048 -keyout certificate.key -out certificate.crt -days 1024 -nodes

Anthony Thursday, March 17, 2016 at 22:42 - Reply


I run the command:

openssl req -x509 -sha256 -nodes -days 4000 -newkey rsa:2048 -keyout bvplus.key -out bvplus.crt

I now get this error in my apache config:

[warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)

Does this mean the self-signed cert command isnt working correctly. The cert works fine everywhere else but this warning is in all my server logs that I use this self-signed cert command on CentOS 6 and Apache. Any ideas?

Leave a Reply

Your email address will not be published. Required fields are marked *

Inbound links