Self signed SSL certificates can be generated using OpenSSL.


Private Key[edit]

Generate a new private key. The output will be a Privacy-Enhanced Mail (PEM) format.

## Generate a new private key
# openssl genrsa -out server.key 4096

Certificate Signing Request[edit]

Generate the certificate signing request.

# openssl req -new -sha256 \
        -key server.key \
        -subj "/C=CA/ST=Alberta/O=Steamr/" \
        -reqexts SAN \
        -extensions SAN \
        -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\,")) \
        -out server.csr

The -subj value contains:

Field Description Example
C Country - The 2 letter International Standards Organization ISO abbreviation for your country CA
ST State - The state or province of your organization Alberta
O Organization - The legal name of the organization Steamr Corp.
CN Common Name - The fully qualified domain name for the certificate

Additionally, the [SAN] section passed in through the -config flag is used to define any SANs the certificate should have and can be removed if unneeded.

You can verify your CSR using:

# openssl req -noout -text -in server.csr

After you have verified your CSR, you can either continue to self sign with the next step, or submit it to a CA to purchase a SSL certificate.


Sign your certificate signing request.

# openssl x509 \
        -req \
        -days 730 \
        -extfile <(printf ",") \
        -signkey server.key \
        -in server.csr \
        -out server.crt

The -days value defines the number of days the certificate will be valid for from the time of signing. If not given, a default of 30 days will be used.

Any SANs will also need to be passed through using the -extfile flag.

You can verify the signed certificate by running:

# openssl x509 -noout -text -in server.crt


If the certificate has expired, you can 'renew' it by first regenerating a certificate signing request (CSR):

# openssl x509 -x509toreq -in expired_certificate.crt -out new_csr.csr -signkey domain_private.key

Then signing the CSR with the private key to produce a new certificate:

# openssl x509 -req -days 3650 -in new_csr.csr -signkey domain_private.key -out new_certificate.crt

Replace the expired certificate with the new certificate and reload any services that are using the certificate for it to be applied.

Trusting Your Self Signed SSL Certificates[edit]

The key and certificate generated with the steps above will not be signed by a trusted certificate authority and therefore cannot be verified by your browser, resulting in a security warning. To get around this, you can add your certificate directly into your browser or operating system's list of trusted certificate authorities.

See Also[edit]