How to Generate a Self-signed Ssl Certificate Using Openssl?

Generating a self-signed SSL certificate using OpenSSL involves several steps. Below is a guide on how to create a self-signed SSL certificate:

Step 1: Install OpenSSL

Before you begin, ensure that OpenSSL is installed on your system. You can check by running:

openssl version

If it’s not installed, you can install it using your package manager. For example:

• On Ubuntu/Debian:

   

  Copied!

  sudo apt-get install openssl
  

• On CentOS/Fedora:

   

  Copied!

  sudo yum install openssl
  

Step 2: Generate a Private Key

First, generate a private key. This key is used to create the certificate.

openssl genpkey -algorithm RSA -out private.key -aes256

• algorithm RSA: Specifies that you want to generate an RSA key.
• out private.key: The output file where the private key will be stored.
• aes256: Optionally, encrypts the private key with AES-256. You’ll be prompted to enter a passphrase.

Step 3: Create a Certificate Signing Request (CSR)

Next, generate a CSR, which is a request for the certificate authority to sign your certificate. In this case, since you're self-signing, you'll use it for the next step.

openssl req -new -key private.key -out certificate.csr

You’ll be prompted to enter information such as:

• Country Name (2 letter code): Your country code (e.g., US for United States).
• State or Province Name (full name): The full name of your state or province.
• Locality Name (eg, city): Your city.
• Organization Name (eg, company): The name of your organization.
• Organizational Unit Name (eg, section): The name of your department or section.
• Common Name (e.g., your domain name): The fully qualified domain name (FQDN) for which you're generating the certificate (e.g., www.example.com).
• Email Address: Your email address.

Step 4: Generate a Self-signed Certificate

Now, generate the self-signed certificate using the private key and the CSR.

openssl x509 -req -days 365 -in certificate.csr -signkey private.key -out selfsigned.crt

• req: Indicates the input is a CSR.
• days 365: Specifies that the certificate should be valid for 365 days.
• signkey private.key: Signs the certificate with your private key.
• out selfsigned.crt: The output file where the certificate will be stored.

Step 5: Verify the Certificate

Finally, you can verify the contents of the certificate:

openssl x509 -in selfsigned.crt -text -noout

This command will output the details of your self-signed certificate.

Files Generated

• private.key: The private key file.
• certificate.csr: The certificate signing request.
• selfsigned.crt: The self-signed SSL certificate.

Summary

You now have a self-signed SSL certificate (selfsigned.crt) and a corresponding private key (private.key). You can use these in your web server configuration to enable SSL for your site. Remember that self-signed certificates are not trusted by browsers by default, so you’ll typically see a security warning when accessing a site using them.

Got an article suggestion? Let us know

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.