How to Create a Self-Signed SSL Certificate with OpenSSL
Security through SSL certificates is vital when it comes to cybersecurity communications. Production servers need secured keys from trusted Certificate Authorities (CAs) for certification, but development and testing servers find optimal benefits through self-signed keys.
The article provides detailed instructions showing how self-signed SSL certificates from OpenSSL work to protect test developer environments in a cost-effective manner.
What is a Self-Signed Certificate?
You can sign your own certificate as a self-signed type, which operates independently from reputable Certification Authorities. The encryption capabilities of these certificates match those of the certificate authority signed certificates, yet they lack third-party verification, which would establish trust between browsers and clients.
Where You Should Use Self-Signed Certificates
Self-signed certificates are ideal for:
Development environments
Internal applications
Testing SSL configurations
Personal projects
Learning environments
They should generally not be used for production websites accessible to the public, as they trigger security warnings in browsers.
Prerequisites
Before we begin, make sure you are completing the prerequisites list
OpenSSL installed on your system
Basic knowledge of terminal/command line operations
Administrative privileges on your machine
Step by Step Guide to Creating a Self-Signed Certificate
1. Generate a Private Key
The first step in creating a self-signed certificate is generating a private key. This key is crucial for encryption and should be kept secure.
openssl genrsa -out private.key 2048
This command creates a 2048-bit RSA private key named private.key. The 2048-bit length offers a good balance between security and performance for most applications.
2. Create a Certificate Signing Request (CSR)
Next, we'll create a Certificate Signing Request that contains your details:
openssl req -new -key private.key -out request.csr
When you run this command, OpenSSL will prompt you for information:
Country Name (2 letter code)
State or Province Name
Locality Name (city)
Organization Name
Organizational Unit Name
Common Name (domain name) - this is critical and should match your server's domain
Email Address
Optional attributes (challenge password and optional company name)
The Common Name is particularly important as it should match the domain name users will enter in their browser.
3. Generate the Self-Signed Certificate
Now, create the self-signed certificate using the private key and CSR:
openssl x509 -req -days 365 -in request.csr -signkey private.key -out certificate.crt
This command creates a certificate (certificate.crt) valid for 365 days. Adjust the validity period according to your needs.
4. All-in-One Command (Optional)
If you prefer, you can generate both the private key and certificate in a single command:
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout private.key -out certificate.crt
The -nodes parameter ensures the private key isn't encrypted with a passphrase, which is useful for server applications that need to read the key without user intervention.
Creating Certificates with Subject Alternative Names (SANs)
Modern browsers increasingly require SANs for proper certificate validation. To create a certificate with SANs:
Create an OpenSSL configuration file (e.g., san.cnf) with the following content:
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
C = US
ST = Your State
L = Your City
O = Your Organization
CN = yourdomain.com
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = yourdomain.com
DNS.2 = www.yourdomain.com
DNS.3 = localhost
IP.1 = 127.0.0.1
Generate the certificate using this configuration:
openssl req -new -x509 -nodes -days 365 -newkey rsa:2048 -keyout private.key -out certificate.crt -config san.cnf
Implementing Your Self-Signed Certificate
After creating your certificate and private key, you'll need to configure your web server to use them:
For Apache:
<VirtualHost *:443>
ServerName yourdomain.com
DocumentRoot /var/www/html
SSLEngine on
SSLCertificateFile /path/to/certificate.crt
SSLCertificateKeyFile /path/to/private.key
</VirtualHost>
For Nginx:
server {
listen 443 ssl;
server_name yourdomain.com;
ssl_certificate /path/to/certificate.crt;
ssl_certificate_key /path/to/private.key;
# Additional SSL parameters
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
location / {
root /var/www/html;
index index.html;
}
}
Troubleshooting Common SSL Issues
Browser Security Warnings
Self-signed certificates will trigger security warnings in browsers. To temporarily bypass these:
In Chrome: Click "Advanced" and then "Proceed to site"
In Firefox: Click "Advanced" > "Accept the Risk and Continue"
Certificate Verification
To verify your certificate details:
openssl x509 -in certificate.crt -text -noout
This command displays all certificate information, helping you confirm the correct details.
Also Read: Self-Signed Certificate vs Trusted CA Signed Certificate
Conclusion
Self-signed SSL certificates provide a practical solution for securing development environments and internal applications. While they don't offer the same level of trust as certificates from commercial CAs, they implement the same encryption protocols, ensuring data transmitted between clients and servers remains secure.
By mastering the OpenSSL commands outlined in this article, developers can quickly generate certificates tailored to their specific needs, facilitating secure development and testing without incurring the costs associated with commercial certificates.
Remember that for production environments accessible to the public, proper CA-signed certificates from providers like Let's Encrypt (which offers free certificates) are strongly recommended to avoid browser security warnings and establish trust with your users.