OpenSSL is a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. It is also a general-purpose cryptography library. For more information about the team and community around the project, or to start making your own contributions, start with the community page. To get the latest news, download the source, and so on, please see the sidebar or the buttons at the top of every page.
In this article, we’ll learn how to create a self-signed certificate with OpenSSL.
$ openssl req \ -newkey rsa:2048 -nodes -keyout domain.key \ -x509 -days 365 -out domain.crt Generating a RSA private key .............................+++++ ..................................................+++++ writing new private key to 'domain.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]: US State or Province Name (full name) [Some-State]: Seattle Locality Name (eg, city) : Washington Organization Name (eg, company) [CloudoLife Ltd]: Organizational Unit Name (eg, section) : CloudoLife Common Name (e.g. server FQDN or YOUR name) : cloudolife.com Email Address : [email protected]
Then it generate the Certificate with Public Key domain.crt and Private Key domain.key.
1 2 3 4
$ tree . . ├── domain.crt └── domain.key
1 2 3
$ openssl x509 \ -text -noout \ -in domain.crt
(Step by Step) Create SelfSigned Domain Certificate by CA
Creating a Private Key
First, we’ll create a private key. A private key helps to enable encryption and is the most important component of our certificate.
Let’s create a password-protected, 2048-bit RSA private key (domain.key) with the openssl command:
1 2 3 4 5 6 7
$ openssl genrsa -des3 -out domain.key 2048 Generating RSA private key, 2048 bit long modulus (2 primes) .....................+++++ .........+++++ e is 65537 (0x010001) Enter pass phrase for domain.key: Verifying - Enter pass phrase for domain.key:
If we want our private key unencrypted, we can simply remove the -des3 option from the command.