This article will demonstrate how to use OpenSSL to create a self signed certificate.
First things first. What is a self signed certificate? A self signed certificate is exactly what it sounds like. The private key of the key pair signs its own SSL certificate. It is not signed by a CA (Certification Authority) and therefore is not publicly trusted and has a certificate path of size 1. Self signed certificates are useful in internal networks and in testing, but are not advantageous in a public environment.
You may have found this article for a number of different use cases. OpenSSL does support creating self signed certificates, so let us continue on with how to create a self signed certificate with OpenSSL.
OpenSSL create self signed certificate and key
This section will demonstrate how to use OpenSSL to make a self signed certificate. To create the self signed certificate, use the
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -sha256 -days 365 -subj="/CN=Test"
Here is a breakdown of the command:
-x509 Create an X.509 certificate
-newkey rsa:2048 The key pair should have an RSA key size of 2048
-keyout key.pem Output the private key in the file named key.pem
-out cert.pem Output the self signed certificate containing the public key into the file cert.pem
-sha256 Sign the certificate with the SHA256 algorithm
-days 365 The validity period of the self signed certificate in days
-subj="/CN=Test" The subject dn of the certificate
If you do not provide a passphrase you will see the following error:
139644670686528:error:28078065:UI routines:UI_set_result_ex:result too small:../crypto/ui/ui_lib.c:905:You must type in 4 to 1024 characters 139644670686528:error:2807106B:UI routines:UI_process:processing error:../crypto/ui/ui_lib.c:545:while reading strings 139644670686528:error:0906406D:PEM routines:PEM_def_callback:problems getting password:../crypto/pem/pem_lib.c:59: 139644670686528:error:0907E06F:PEM routines:do_pk8pkey:read key:../crypto/pem/pem_pk8.c:83:
After running the command and providing a passphrase you can output your self signed certificate with
cat cert.pem and copy and paste the PEM encoded cert into our Certificate Decoder.
openssl self signed certificate san
In some cases you may need to add Subject Alternative Names (SAN) to a self signed certificate. You can do so with the
-addext option. Run the following command to create a self signed certificate with a san.
openssl req -x509 -subj /C=US/CN=example.com -addext subjectAltName=DNS:example.com,DNS:www.example.com -newkey rsa:2048 -nodes -keyout key.pem -out cert.pem -days 365
In conclusion, this article has demonstrated how to create a self signed certificate using OpenSSL. It can be completed with one line and a passphrase. If you have any questions or would like to see more detailed examples of generating the self signed certificate then let us know in the comments.
For more examples on generating self signed certificates: