How to Generate a Self-signed Ssl Certificate Using Openssl?

SSL OpenSSL
Better Stack Team
Updated on October 7, 2024

Generating a self-signed SSL certificate using OpenSSL involves several steps. Below is a guide on how to create a self-signed SSL certificate:

Step 1: Install OpenSSL

Before you begin, ensure that OpenSSL is installed on your system. You can check by running:

 
openssl version

If it’s not installed, you can install it using your package manager. For example:

  • On Ubuntu/Debian:

     
    sudo apt-get install openssl

  • On CentOS/Fedora:

     
    sudo yum install openssl

Step 2: Generate a Private Key

First, generate a private key. This key is used to create the certificate.

 
openssl genpkey -algorithm RSA -out private.key -aes256
  • algorithm RSA: Specifies that you want to generate an RSA key.
  • out private.key: The output file where the private key will be stored.
  • aes256: Optionally, encrypts the private key with AES-256. You’ll be prompted to enter a passphrase.

Step 3: Create a Certificate Signing Request (CSR)

Next, generate a CSR, which is a request for the certificate authority to sign your certificate. In this case, since you're self-signing, you'll use it for the next step.

 
openssl req -new -key private.key -out certificate.csr

You’ll be prompted to enter information such as:

  • Country Name (2 letter code): Your country code (e.g., US for United States).
  • State or Province Name (full name): The full name of your state or province.
  • Locality Name (eg, city): Your city.
  • Organization Name (eg, company): The name of your organization.
  • Organizational Unit Name (eg, section): The name of your department or section.
  • Common Name (e.g., your domain name): The fully qualified domain name (FQDN) for which you're generating the certificate (e.g., www.example.com).
  • Email Address: Your email address.

Step 4: Generate a Self-signed Certificate

Now, generate the self-signed certificate using the private key and the CSR.

 
openssl x509 -req -days 365 -in certificate.csr -signkey private.key -out selfsigned.crt
  • req: Indicates the input is a CSR.
  • days 365: Specifies that the certificate should be valid for 365 days.
  • signkey private.key: Signs the certificate with your private key.
  • out selfsigned.crt: The output file where the certificate will be stored.

Step 5: Verify the Certificate

Finally, you can verify the contents of the certificate:

 
openssl x509 -in selfsigned.crt -text -noout

This command will output the details of your self-signed certificate.

Files Generated

  • private.key: The private key file.
  • certificate.csr: The certificate signing request.
  • selfsigned.crt: The self-signed SSL certificate.

Summary

You now have a self-signed SSL certificate (selfsigned.crt) and a corresponding private key (private.key). You can use these in your web server configuration to enable SSL for your site. Remember that self-signed certificates are not trusted by browsers by default, so you’ll typically see a security warning when accessing a site using them.

Got an article suggestion? Let us know
Licensed under CC-BY-NC-SA

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.