DevOps Tutorials - VegaStack
Please enter at least 3 characters
Sep 1, 2023 4 min read

How to Create Self-Signed SSL Certificate

Create a Self-Signed SSL Certificate with our step-by-step tutorial. Self Signed SSL Certs use a site's private key for the digital signature.

Ashutosh Roy Choudhury & Sumit Patel
Create Self-Signed SSL Certificate
Table of Contents

Introduction

Before we begin talking about how to install a self-signed SSL certificate, let’s briefly understand - What is a Self-Signed SSL Certificate?

Anyone can create a Self Signed SSL Certificate by generating a public-private key pairing. It is called self-signed because the digital signature used is the website's own private key.

With self-signed certificates, the browser has no authority to verify the Origin server. They are not considered trustworthy by web browsers and can be marked as "not secure". They can be utilized for non-production applications or for testing purposes.

In this tutorial, you will install a self-signed SSL certificate. We will also address a few FAQs on how to install a self-signed SSL certificate.

Prerequisites

  • OpenSSL toolkit to generate a self-signed certificate

Install OpenSSL

Firstly, check if you have openssl package installed on your terminal by typing openssl version and then press Enter. If the package is installed, the system will print the OpenSSL version, else you will get an error with a message openssl command not found.

If the package is not installed, please install it in the following commands:

  • For Ubuntu and Debian
sudo apt install openssl
  • For CentOS and Fedora
sudo yum install openssl

Create a Self-Signed SSL Certificate

1) Use the openssl req command to create a new self-signed SSL certificate.

openssl req -newkey rsa:4096 \
            -x509 \
            -sha256 \
            -days 3650 \
            -nodes \
            -out example.crt \
            -keyout example.key

Let's understand the options used in the above command:

  • -newkey rsa:4096: It is used to create a new certificate request and 4096-bit RSA key.
  • -x509: It creates an X.509 Certificate.
  • -sha256: It uses 265-bit SHA (Secure Hash Algorithm)
  • days 365: It specifies the number of days for which the certificate will certify. You can use any positive integer of your choice per your requirement.
  • -nodes: It creates a key without a passphrase.
  • -out example.crt: Used to specify the filename to write the newly created certificate. You can keep the filename of your choice.
  • -keyout example.key: Used to specify the filename to write the newly created private key. You can keep the filename of your choice.

2) After you hit the Enter key, the above command will generate the private key and will ask you some questions. The information given by you will be used to generate the certificate.

Output

Generating a RSA private key
......................................................................++++
........++++
writing new private key to 'example.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----

3) Provide the required information and hit Enter:

Output

Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Alabama
Locality Name (eg, city) []:Montgomery
Organization Name (eg, company) [Internet Widgits Pty Ltd]:VegaStack
Organizational Unit Name (eg, section) []:Marketing
Common Name (e.g. server FQDN or YOUR name) []:vegastack.com
Email Address []:[email protected]

4) Your certificate and file will be created at a specific location, use the below command to verify if the file is created:

ls

Output

example.crt example.key

Your self-signed certificate has been successfully generated.

💡
It is always a good idea to take a backup of your newly created certificate and key to external storage.

Create a Self-Signed certificate Without Prompt

If you don't want any prompt while generating a self-signed SSL certificate, then you can use the following command:

openssl req -newkey rsa:4096 \
            -x509 \
            -sha256 \
            -days 365 \
            -nodes \
            -out example.crt \
            -keyout example.key \
            -subj "/C=SI/ST=Ljubljana/L=Ljubljana/O=Security/OU=IT Department/CN=www.example.com"


Output


Generating a RSA private key
......................................................................++++
........++++
writing new private key to 'example.key'
-----

The fields specified in the -subj line are as follows:

  • C=: The two-letter ISO abbreviation for the country name.
  • ST=: State or Province name.
  • L=: The name of the city where you are located.
  • O=: Full name of your organization.
  • OU=: Organizational unit.
  • CN=: Fully qualified domain name.

FAQs to Create Self-Signed SSL Certificate

Why would I want to use a self-signed SSL certificate? 

Self-signed SSL certificates are primarily used for testing, development, or creating a secure connection within an isolated network where public trust is not required.

Is a self-signed SSL certificate as secure as one issued by a trusted CA? 

No, self-signed certificates do not have the same level of trust as those issued by trusted CAs. They may trigger security warnings in web browsers, as they lack validation from a trusted third-party.

Can I use a self-signed SSL certificate for my public website? 

While it is technically possible, it is not recommended to use a self-signed certificate for public websites. Visitors will see security warnings, potentially leading them to distrust your site.

How long is a self-signed SSL certificate valid? 

The validity period of a self-signed certificate is determined by the issuer. By default, they are often set to one year, but you can customize the expiration date during the creation process.

Do I have to pay for a self-signed SSL certificate?

No, you do not have to pay for a self-signed SSL certificate. They can be generated for free using tools like OpenSSL or other certificate generation utilities.

Can I use a self-signed SSL certificate in a production environment? 

Using a self-signed certificate in a production environment is not recommended. It is best to obtain a certificate from a trusted CA to ensure proper security and user trust.

Can I install a self-signed SSL certificate on any platform or web server? 

Yes, self-signed certificates can be installed on any platform or web server that supports SSL/TLS. The installation process may vary depending on the server software being used.

Conclusion

We hope this detailed guide helped you understand how to create a Self-Signed SSL Certificate

If you have any queries, please leave a comment below, and we’ll be happy to respond to them for sure.

create self-signed ssl-certificate
You might also like
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to DevOps Tutorials - VegaStack.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.