Mister PKI

SSL Certificates * SSL Tools * Certificate Decoder

by Leave a Comment

Top online courses in IT & Software

This article will demonstrate how to use OpenSSL to create a self signed certificate.

First things first. What is a self signed certificate? A self signed certificate is exactly what it sounds like. The private key of the key pair signs its own SSL certificate. It is not signed by a CA (Certification Authority) and therefore is not publicly trusted and has a certificate path of size 1. Self signed certificates are useful in internal networks and in testing, but are not advantageous in a public environment.

You may have found this article for a number of different use cases. OpenSSL does support creating self signed certificates, so let us continue on with how to create a self signed certificate with OpenSSL.

OpenSSL create self signed certificate and key

This section will demonstrate how to use OpenSSL to make a self signed certificate. To create the self signed certificate, use the req command.

openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -sha256 -days 365 -subj="/CN=Test"

Here is a breakdown of the command:

-x509 Create an X.509 certificate

-newkey rsa:2048 The key pair should have an RSA key size of 2048

-keyout key.pem Output the private key in the file named key.pem

-out cert.pem Output the self signed certificate containing the public key into the file cert.pem

-sha256 Sign the certificate with the SHA256 algorithm

-days 365 The validity period of the self signed certificate in days

-subj="/CN=Test" The subject dn of the certificate

If you do not provide a passphrase you will see the following error:

139644670686528:error:28078065:UI routines:UI_set_result_ex:result too small:../crypto/ui/ui_lib.c:905:You must type in 4 to 1024 characters
139644670686528:error:2807106B:UI routines:UI_process:processing error:../crypto/ui/ui_lib.c:545:while reading strings
139644670686528:error:0906406D:PEM routines:PEM_def_callback:problems getting password:../crypto/pem/pem_lib.c:59:
139644670686528:error:0907E06F:PEM routines:do_pk8pkey:read key:../crypto/pem/pem_pk8.c:83:

After running the command and providing a passphrase you can output your self signed certificate with cat cert.pem and copy and paste the PEM encoded cert into our Certificate Decoder.

openssl self signed certificate san

In some cases you may need to add Subject Alternative Names (SAN) to a self signed certificate. You can do so with the -addext option. Run the following command to create a self signed certificate with a san.

openssl req -x509 -subj /C=US/CN=example.com -addext subjectAltName=DNS:example.com,DNS:www.example.com -newkey rsa:2048 -nodes -keyout key.pem -out cert.pem -days 365

Conclusion

In conclusion, this article has demonstrated how to create a self signed certificate using OpenSSL. It can be completed with one line and a passphrase. If you have any questions or would like to see more detailed examples of generating the self signed certificate then let us know in the comments.

For more examples on generating self signed certificates:

Python self signed certificate

Java self signed certificate

Reader Interactions

Leave a Reply

Your email address will not be published. Required fields are marked *