Self Signed SSL Certificates
Self signed SSL certificates can be generated using OpenSSL.
Generate a new private key. The output will be a Privacy-Enhanced Mail (PEM) format.
## Generate a new private key # openssl genrsa -out server.key 4096
Certificate Signing Request
Generate the certificate signing request.
# openssl req -new -sha256 \ -key server.key \ -subj "/C=CA/ST=Alberta/O=Steamr/CN=steamr.com" \ -reqexts SAN \ -extensions SAN \ -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:x.steamr.com,DNS:y.steamr.com")) \ -out server.csr
-subj value contains:
|C||Country - The 2 letter International Standards Organization ISO abbreviation for your country||CA|
|ST||State - The state or province of your organization||Alberta|
|O||Organization - The legal name of the organization||Steamr Corp.|
|CN||Common Name - The fully qualified domain name for the certificate||steamr.com|
[SAN] section passed in through the
-config flag is used to define any SANs the certificate should have and can be removed if unneeded.
You can verify your CSR using:
# openssl req -noout -text -in server.csr
After you have verified your CSR, you can either continue to self sign with the next step, or submit it to a CA to purchase a SSL certificate.
Sign your certificate signing request.
# openssl x509 \ -req \ -days 730 \ -extfile <(printf "subjectAltName=DNS:x.steamr.com,DNS:y.steamr.com") \ -signkey server.key \ -in server.csr \ -out server.crt
-days value defines the number of days the certificate will be valid for from the time of signing. If not given, a default of 30 days will be used.
Any SANs will also need to be passed through using the
You can verify the signed certificate by running:
# openssl x509 -noout -text -in server.crt
If the certificate has expired, you can 'renew' it by first regenerating a certificate signing request (CSR):
# openssl x509 -x509toreq -in expired_certificate.crt -out new_csr.csr -signkey domain_private.key
Then signing the CSR with the private key to produce a new certificate:
# openssl x509 -req -days 3650 -in new_csr.csr -signkey domain_private.key -out new_certificate.crt
Replace the expired certificate with the new certificate and reload any services that are using the certificate for it to be applied.
Trusting Your Self Signed SSL Certificates
The key and certificate generated with the steps above will not be signed by a trusted certificate authority and therefore cannot be verified by your browser, resulting in a security warning. To get around this, you can add your certificate directly into your browser or operating system's list of trusted certificate authorities.