How To Create A Self-Signed SSL Certificate With OpenSSLMattias Geniar, Thursday, August 6, 2015 - last modified: Saturday, August 8, 2015
Creating a self-signed SSL certificate isn't difficult with OpenSSL. These kind of SSL certificates are perfect for testing, development environments or anything else that requires SSL, but that doesn't necessarily have to be a trusted SSL certificate.
If you use this in an Nginx or Apache configuration, your visitors will see a big red "Your connection is not private" warning message first, before they can browse through. This isn't for production, just for testing.
To generate a self-signed SSL certificate in a single
openssl command, run the following in your terminal.
$ openssl req -x509 -sha256 -newkey rsa:2048 -keyout certificate.key -out certificate.crt -days 1024 -nodes
You'll be prompted for several questions, the only that that really matters is the Common Name question, which will be used as the hostname/dns name the self-signed SSL certificate is made for. (Although: even with a valid Common Name, it's still a self-signed SSL certificate and browsers will still find it
Here's the output of that command.
$ openssl req -x509 -sha256 -newkey rsa:2048 -keyout certificate.key -out certificate.crt -days 1024 -nodes Generating a 2048 bit RSA private key .............................+++ ..............+++ writing new private key to 'certificate.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:BE State or Province Name (full name) [Some-State]:Antwerp Locality Name (eg, city) :Antwerp Organization Name (eg, company) [Internet Widgits Pty Ltd]:Some Organization Ltd Organizational Unit Name (eg, section) :IT Department Common Name (e.g. server FQDN or YOUR name) : your.domain.tld Email Address :firstname.lastname@example.org
If you don't want to fill in those questions every time, you can run a single command with the Common Name as a command line argument. It'll generate the self-signed SSL certificate for you straight away, without pestering you for questions like Country Name, Organization, ...
$ openssl req -x509 -sha256 -newkey rsa:2048 -keyout certificate.key -out certificate.crt -days 1024 -nodes -subj '/CN=my.domain.tld' Generating a 2048 bit RSA private key .....+++ ...........................+++ writing new private key to 'certificate.key' -----
The result with both
openssl commands will be 2 new files in your current working directory.
$ ls -alh -rw-r--r-- 1 mattias 1.7K certificate.crt -rw-r--r-- 1 mattias 1.6K certificate.key
You can use the
certificate.key as the key for your SSL configurations. It doesn't have a password associated with it, that's what the
-nodes (No DES encryption) option was for when running the
openssl command. If you want a password on your private key, remove that option and run the
openssl command again.
$ cat certificate.key -----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEA4Ez4L6n8KNDJvBNlu2kqIiTNXM7PiyfD8OPSg665OXf1qaaA ... P2JYe3EN8sVlUG7bx1b0D78UQA+KMkwuWNNaQyerSNc8QMC63DT5 -----END RSA PRIVATE KEY-----
certificate.crt contains your certificate file, the "public" part of your certificate.
$ cat certificate.crt -----BEGIN CERTIFICATE----- MIIE9zCCA9+gAwIBAgIJAKR+VA+yc2CzMA0GCSqGSIb3DQEBBQUAMIGtMQswCQYD ... C4RviEJyE4xdmwsjzfkc3nJTJfFyT/uo+Cx+ -----END CERTIFICATE-----
Now you have a self-signed SSL certificate and a private key you can use for your server configurations.