Mister PKI

SSL Certificates * SSL Tools * Certificate Decoder

by Leave a Comment

What is a self-signed certificate?

Self-signed certificates are SSL/TLS certificates generated and signed by you, not a Certification Authority (CA) certificate. Self-signed certificates should not be used on a publicly facing web application, but for local testing purposes, it does the trick.

Why can I not use a certificate issued by a CA?

You can. If your development server has a registered name in DNS and you can do Domain Validation (DV) for a CA, then this route is perfectly acceptable. You can either purchase an SSL/TLS certificate from a CA or get a certificate from Let’s Encrypt for free.

If those two questions confuse you, you may be asking:

What the heck is a digital certificate to begin with?

A digital certificate is a credential which contains your public key given to a client to encrypt data coming to your server. You then decrypt that data with your corresponding private key. In addition to your public key, a digital certificate contains other attributes such as a validity period, expiration date, etc that we will not get into for the purposes of this article.

How do I generate self-signed SSL/TLS certificates?

Using openssl on Linux, use the following command:

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -subj '/CN=localhost' -nodes

Let me break down what this means:
openssl – the openssl cryptography toolkit
req -x509 – request a self-signed X509 certificate
-newkey rsa:4096 – creates a new private key with 4096 bits.
-keyout – the file to contain your private key
-out – the file to contain your self-signed certificate
-days 365 – the validity period of your self-signed certificate in days.
-subj '/CN=localhost' – The subject DN of your certificate. If running a local development environment, this isn’t overly important but can save you the annoyance of browser warnings. If you’re not using localhost, put the fully qualified domain name (FQDN) here in place of localhost.
-nodes – No encryption of the private key. This is fine for a local development environment.

Hopefully, this helps get you started with using SSL/TLS. Please leave a comment asking for more explanation and if you are interested in a detailed description of how to install certificates on your web server. For example Apache, Tomcat, Jetty, etc.

Read all blog content.

Reader Interactions

Leave a Reply

Your email address will not be published. Required fields are marked *