Grant Novota
About Projects Peaks Blog Links Resume

How to Create a Self-Signed SSL Certificate

09 Aug 2019

Getting Started

SSL is a cryptographic protocol that provides end-to-end encryption and integrity for all web requests. Apps that transmit sensitive data should enable SSL to ensure all information is transmitted securely.

To generate our own SSL certificate, we need to have openssl installed. We can first check that it is already installed with the following command:

$ which openssl
/usr/bin/openssl

If we get an output like above, we are good to go, otherwise we need to install openssl first.

Generate Private Key and Certificate Signing Request

Enter the following commands to generate a private key and certificate signing request:

[grant@localhost ~]$ openssl rsa -passin pass:x -in server.pass.key -out server.key
writing RSA key
[grant@localhost ~]$ rm server.pass.key
[grant@localhost ~]$ openssl req -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:Colorado
Locality Name (eg, city) [Default City]:Denver
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:Grant
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

When the openssl req response asks for a challenge password, we can just press Enter, leaving it empty. This password is used by certificate authorities to authenticate the certificate owner when they want to revoke their certificate. Due to this being a self-signed certificate, there is no way to revoke it via CRL (Certificate Revocation List).

Generate SSL Certificate

The self-signed SSL certificate is generated from the server.key private key and server.csr files.

$ openssl x509 -req -sha256 -days 365 -in server.csr -signkey server.key -out server.crt

The server.crt is the site certificate and server.key is the private key.

Top