[Awesome Security] Create a self-signed certificate with OpenSSL

Posted on Edited on In , Views: Word count in article: 2.2k Reading time ≈ 2 mins.

OpenSSL

OpenSSL is a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. It is also a general-purpose cryptography library. For more information about the team and community around the project, or to start making your own contributions, start with the community page. To get the latest news, download the source, and so on, please see the sidebar or the buttons at the top of every page.

In this article, we’ll learn how to create a self-signed certificate with OpenSSL.

Usages

(Quickly) Create SelfSigned Domain Certificate

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
$ openssl req \
    -newkey rsa:2048 -nodes -keyout domain.key \
    -x509 -days 365 -out domain.crt
Generating a RSA private key
.............................+++++
..................................................+++++
writing new private key to 'domain.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]: US
State or Province Name (full name) [Some-State]: Seattle
Locality Name (eg, city) []: Washington
Organization Name (eg, company) [CloudoLife Ltd]:
Organizational Unit Name (eg, section) []: CloudoLife
Common Name (e.g. server FQDN or YOUR name) []: cloudolife.com
Email Address []: [email protected]

Then it generate the Certificate with Public Key domain.crt and Private Key domain.key.

1
2
3
4
$ tree .
.
├── domain.crt
└── domain.key
1
2
3
$ openssl x509 \ 
    -text -noout \
    -in domain.crt

(Step by Step) Create SelfSigned Domain Certificate by CA

Creating a Private Key

First, we’ll create a private key. A private key helps to enable encryption and is the most important component of our certificate.

Let’s create a password-protected, 2048-bit RSA private key (domain.key) with the openssl command:

1
2
3
4
5
6
7
$ openssl genrsa -des3 -out domain.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
.....................+++++
.........+++++
e is 65537 (0x010001)
Enter pass phrase for domain.key:
Verifying - Enter pass phrase for domain.key:

If we want our private key unencrypted, we can simply remove the -des3 option from the command.

References

[1] OpenSSL Cryptography and SSL/TLS Toolkit - https://www.openssl.org/

[2] - https://www.baeldung.com/openssl-self-signed-cert