Generate Self-Signed SSL Certificate – HOWTO

This is another one for my reference. I’ve had to generate a self-signed SSL certificate quite a few times and I’m sure I’ll do it again in future. First of all, self-signed SSL certificates provide the same level of security as any other commercial ones, such as Verisign certs. The 2 main differences are:

1. Self-signed certificates are free
2. Self-signed certificates are not recognised by web browsers by default. They need to be installed in browsers manually in order to be accepted by them. This is a 10 second job.

So, if I am setting up a staging web server or a subversion server on a secure domain, a self-signed SSL would be an obvious choice for me. There are a few ways you can generate your SSL certificates, but this is how I like to do it because it works for me on Mac and Linux.

Step 1: cd into my working directory

cd ~/Desktop/KeyGen

Step 2: Generate my key – a Triple-DES encrypted, 1024 bit RSA key

openssl genrsa -des3 -out server.key 1024

You’ll be asked to enter in a passphrase.

Step 3: Create a CSR (Certificate Signing Request)

openssl req -new -key server.key -out server.csr

You’ll be asked to enter in some basic information about your organisation such as, country, name, state, email etc… Here’s a sample output:

Country Name (2 letter code) [AU]: (enter your country code here)
State or Province Name (full name) [Some-State]: (Enter your state here)
Locality Name (eg, city) []: (enter your city here) Organization Name (eg, company) [Internet Widgits Pty Ltd]: (enter something here) Organizational Unit Name (eg, section) []: (enter something here)
Common Name (eg, YOUR name) []: (this is the important one)
Email Address []: (your e-mail address)

Step 4: Remove passphrase from my key. Note: I want to remove it because Apache web server will ask me to enter it in every time I restart the server. If you want to keep the passphrase, skip this step.

cp server.key server.key.org
openssl rsa -in server.key.org -out server.key

Step 5: Create a self-signed certificate using the key I just created. Note: “days -365″ will make the certificate valid for 1 year. You can easily make it valid for 10 years if you like. I’m sure you can figure out how to do that!

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

That’s it. Now all you need to do is make it work with Apache by enabling mod_ssl and adding the following in your virtual host:

SSLEngine On
SSLCertificateFile 'full_path'/server.crt
SSLCertificateKeyFile 'full_path'/server.key
  • Jorge Arias

    Hi , is there a way to generate client certs via script.

    • http://www.markomedia.com.au Marko Tomic

      Hey Jorge,

      You certainly can. I never got into the guts of it, but I’d suggest taking a look at -clcerts argument in OpenSSL documentation. Here is the link: http://www.openssl.org/docs/apps/pkcs12.html

      Let me know how it goes.

      Cheers
      Marko