User Tools

Site Tools


howtos:generate_a_self-signed_certificate_from_scratch

If you know that you only want a self-signed certificate (not one signed by a Certificate Authority (CA)), you can generate a self-signed certficate without first having to generate a Certificate Signing Request (CSR).

A self-signed certificate does not give the security guarantees provided by a certificate signed by a commercial CA. But it will allow you to provide a secure https connection to your web site. Clients will see a warning message stating that your site's identity cannot be verified and thus is not a “trusted site”.

Clients have the option of accepting the certificate for the session and all subsequent https connections with the site will be secure.Here is a typical openssl command and the resulting interactive session when generating a self-signed certificate:

openssl req -x509 -days 365 -newkey rsa:1024 -keyout hostkey.pem -nodes -out hostcert.pem
Generating a 1024 bit RSA private key
........++++++
........++++++
writing new private key to 'hostkey.pem'
-----
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank.
For some fields there will be a default value,

If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Illinois
Locality Name (eg, city) []:Urbana
Organization Name (eg, company) [Internet Widgits Pty Ltd]:NCSA
Organizational Unit Name (eg, section) []:Security Research Division
Common Name (eg, YOUR name) []:www.ncsa.uiuc.edu
Email Address []:webmaster@ncsa.uiuc.edu

First, an explanation of the command line options:

  • -x509 - generate a self-signed certificate rather than a CSR.
  • -days 365 - make the self-signed certificate valid for one year.
  • -newkey rsa:1024 - generate a new private key of type RSA of length 1024 bytes.

If you had previously generated a private RSA key (by using the “openssl genrsa” command, for example) and would like to use it rather than generating a new key, you can use the -key FILENAME option to read in your extisting key. Also, you can change the length of the key if you want. The minimum should be 512. Many people like to use 2048 for a more secure key.

  • -keyout hostkey.pem - write out the newly generated RSA private key to the file hostkey.pem. You will want to save this file since it is needed when you use the SSL certificate.
  • -nodes - an optional parameter NOT to encrypt the private key. This is useful when your web server starts automatically, say at boot time. If your private key is encrypted, you would be required to enter a password everytime your web server restarted. You could also omit this option to create an encrypted key and then later remove the encryption from the key.
  • -out hostcert.pem - write out the self-signed certificate to the file hostcert.pem.

Next, an explanation of the interactive session.

At each prompt, you will see brackets ([ ]) which may or may not contain text. That text is the default option for that prompt. If you simply hit the <ENTER> key at this point without typing any text, the text in the brackets will be used. If there is text in the brackets that you DON'T want (i.e. you want to erase the text for that prompt), type a period (.) and then hit <ENTER>. Note that you cannot have all fields be empty.

Note: Since you are creating a self-signed certificate for use by a web server, at the prompt “Common Name (eg, YOUR name) []:”, enter the fully qualified domain name (FQDN) of your web server. This will prevent a “domain name mismatch” error box from appearing when clients connect to your web site.

howtos/generate_a_self-signed_certificate_from_scratch.txt · Last modified: d/m/Y H:i (external edit)