• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

Mister PKI

SSL Certificates * SSL Tools * Certificate Decoder

  • Buy SSL Certificates
  • Blog
  • OpenSSL
  • Keytool
  • SSL Tools
  • Donate

SSL/TLS Certificates – Getting Started

January 30, 2019 by Mister PKI Leave a Comment

What is a self-signed certificate?

Self-signed certificates are SSL/TLS certificates generated and signed by you, not a Certification Authority (CA) certificate. Self-signed certificates should not be used on a publicly facing web application, but for local testing purposes, it does the trick.

Why can I not use a certificate issued by a CA?

You can. If your development server has a registered name in DNS and you can do Domain Validation (DV) for a CA, then this route is perfectly acceptable. You can either purchase an SSL/TLS certificate from a CA or get a certificate from Let’s Encrypt for free.

If those two questions confuse you, you may be asking:

What the heck is a digital certificate to begin with?

A digital certificate is a credential which contains your public key given to a client to encrypt data coming to your server. You then decrypt that data with your corresponding private key. In addition to your public key, a digital certificate contains other attributes such as a validity period, expiration date, etc that we will not get into for the purposes of this article.

How do I generate self-signed SSL/TLS certificates?

Using openssl on Linux, use the following command:

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -subj '/CN=localhost' -nodes

Let me break down what this means:
openssl – the openssl cryptography toolkit
req -x509 – request a self-signed X509 certificate
-newkey rsa:4096 – creates a new private key with 4096 bits.
-keyout – the file to contain your private key
-out – the file to contain your self-signed certificate
-days 365 – the validity period of your self-signed certificate in days.
-subj '/CN=localhost' – The subject DN of your certificate. If running a local development environment, this isn’t overly important but can save you the annoyance of browser warnings. If you’re not using localhost, put the fully qualified domain name (FQDN) here in place of localhost.
-nodes – No encryption of the private key. This is fine for a local development environment.

Hopefully, this helps get you started with using SSL/TLS. Please leave a comment asking for more explanation and if you are interested in a detailed description of how to install certificates on your web server. For example Apache, Tomcat, Jetty, etc.

Read all blog content.

SSL Certificates

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Popular Posts

PKCS12

openssl s_client

Keytool

Keytool list

ECDSA vs RSA

OpenSSL

PKCS7

Certificate Decoder

Buy SSL Certificates

The SSL Store

Comodo Store

Sectigo Store

RapidSSL

Recent Posts

  • Proxy Addresses Active Directory
  • Windows Private Key Permissions
  • Install .NET 3.5 on Windows Server 2019
  • Netscaler SSL Redirect
  • How to mount NFS share on Linux

Footer

  • Twitter
  • YouTube

Pages

  • About Mister PKI
  • Blog
  • Compare and Buy Affordable PKI Certificates
  • Contact Us
  • Full Disclosure
  • Privacy Policy
  • SSL Tools – Certificate Decoder and Certificate Checker

Copyright © 2023