Skip to Content

Create SSL Certificate With OpenSSL Command

A self-signed SSL certificate is a security certificate that is not signed by a certificate authority (CA). These certificates are easy to make and do not cost money. The Self-signed SSL certificate is mainly used for non-production applications or other experiments.

Generate private key and self signed SSL certificate

Run the following OpenSSL command to generate our private key and public certificate. Answer the questions and enter the Common Name when prompted.

  • openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem

More info about this command below:

  • openssl – activates the OpenSSL software
  • req – indicates that we want a CSR
  • –new –newkey – generate a new key
  • rsa:2048 – generate a 2048-bit RSA mathematical key
  • –nodes – no DES, meaning do not encrypt the private key in a PKCS#12 file
  • –keyout – indicates the domain you’re generating a key for
  • –out – specifies the name of the file our certificate will be saved as
  • -x509 Output a self-signed certificate instead of a certificate request. This is typically used to generate a test certificate or a self-signed root CA.
  • -days The number of days to make a certificate valid for. The default is 30 days.

Enter self signed SSL certificate Information

Input our information in the fields as follows:

  • Country Name – use a 2-letter country code (US for the United States)
  • State – the state in which the domain owner is incorporated
  • Locality – the city in which the domain owner is incorporated
  • Organization name – the legal entity that owns the domain
  • Organizational unit name – the name of the department or group in our organization that deals with certificates
  • Common name – typically the fully qualified domain name (FQDN), i.e. what the users type in a web browser to navigate to our website
  • Email address – the webmaster’s email address

 

Review the self signed SSL certificate

  • openssl x509 -text -noout -in certificate.pem

We will get more detailed info about this certificate as below.

  • Certificate:
  • Data:
  • Version: 1 (0x0)
  • Serial Number: 13596678379411212977 (0xbcb11af2a20a0ab1)
  • Signature Algorithm: sha256WithRSAEncryption
  • Issuer: C=CN, ST=sd, L=jn, O=jn, OU=jn, CN=jn
  • Validity
    Not Before: Aug 7 13:53:21 2021 GMT
    Not After : Aug 7 13:53:21 2022 GMT
  • Subject: C=CN, ST=sd, L=jn, O=jn, OU=jn, CN=jn
  • Subject Public Key Info:
  • Public Key Algorithm: rsaEncryption
  • Public-Key: (2048 bit)
    Modulus:

Risk of self signed SSL certificate

If the corporate network is breached, there is no way of knowing if a self-signed certificate (and it’s private key) has been compromised.Compromised self-signed certificates can pose many security challenges since attackers can spoof the identity of the victim.

Unlike CA-issued certificates, self-signed certificates cannot be revoked. The inability to quickly find and revoke private key associated with a self-signed certificate creates serious risk.