Self-Signed SSL Certificate


Prerequisites:

The OpenSSL toolkit is required to generate a self-signed certificate.

To check whether the openssl package is installed on your Linux system, open your terminal, type openssl version, and press Enter. If the package is installed, the system will print the OpenSSL version, otherwise you will see something like openssl command not found.

If the openssl package is not installed on your system, you can install it with your distributions’s package manager:

  • Ubuntu and Debian
$ sudo apt install openssl
  • Centos and Fedora
$ sudo yum install openssl

Creating a Self-Signed SSL Certificate:

To create a new Self-Signed SSL Certificate, use the openssl req command

$ openssl req -newkey rsa:4096 \
              -x509 \
              -sha256 \
              -days 365 \
              -nodes \
              -out example.crt \
              -keyout example.key

Lets’s breakdown the command and understand what each option means:

  • -newkey rsa:4096 – Creates a new certificate request and 4096 bit RSA key. The default one is 2048 bits.
  • -x509 – Creates a X.509 Certificate.
  • -sha256 – Use 256-bit SHA (Secure Hash Algorithm)
  • -days 365 – The number of days to certify the certificate for. 365 is one year. You can use any positive integer.
  • -nodes – Creates a key without a passphrase
  • -out example.crt – Specifies the filename to write the newly created certificate to. You can specify any file name.
  • -keyout example.key – Specifies the filename to write the newly created private key to. You can specify any file name

Once you hit Enter the command will generate the private key and ask you a series of questions. The information you provided is used to generate the certificate.

Output

Generating a RSA private key
......................................++++
..........................................................................................................++++
writing new private key to 'example.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----

Enter the information requested and press Enter.

Output

Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:

Enter the information requested and press Enter.

Output

Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:

The certificate and private key will be created at the specified location. Use the ls command to verify that the files were created:

$ ls
Output

example.crt example.key
,