How to generate a self-signed SSL certificate using Open SSL?

How to generate a self-signed SSL certificate using Open SSL?

Self-signed certificates are considered insecure for internet use. Browsers like Firefox will treat sites with such certificates as having invalid certificates, while Chrome will behave as if the connection is plain HTTP.

To create a self-signed certificate, you can use the following command:

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365

This command generates a new RSA private key (key.pem) and a self-signed certificate (cert.pem) valid for 365 days. It uses the SHA-256 hashing algorithm for security.

For non-interactive generation with a 10-year expiration, you can use:

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 3650 -nodes -subj "/C=XX/ST=StateName/L=CityName/O=CompanyName/OU=CompanySectionName/CN=CommonNameOrHostname"

In this command, replace the placeholders (XX, StateName, CityName, CompanyName, CompanySectionName, CommonNameOrHostname) with your actual information. The -nodes option is used to generate the key without encryption, making it easier to use in automated environments.

Please note that self-signed certificates are not validated by any third party unless you import them into the browsers beforehand. For more secure connections, it’s recommended to use certificates signed by a certificate authority (CA).

Here is a simplified version of the process to create a self-signed certificate without a passphrase and using SHA-256 for improved security:

  1. Generate a private key (without passphrase):

    openssl genrsa -out server.key 2048
    
  2. Remove the passphrase from the private key:

    openssl rsa -in server.key -out server.key
    
  3. Generate a certificate signing request (CSR) with SHA-256 and specify the domain (e.g., localhost):

    openssl req -sha256 -new -key server.key -out server.csr -subj '/CN=localhost'
    
  4. Create a self-signed certificate using the CSR and private key:

    openssl x509 -req -sha256 -days 365 -in server.csr -signkey server.key -out server.crt
    
  5. Combine the certificate and private key into a .pem file:

    cat server.crt server.key > cert.pem
    

Replace ‘localhost’ with your desired domain. Running the first two commands separately is necessary as OpenSSL will prompt for a passphrase during the key generation step.

You have the correct general procedure. The syntax for the command is as follows:

openssl req -new -key {private key file} -out {output file}

However, warnings are displayed because the browser cannot verify the identity by validating the certificate with a known Certificate Authority (CA).

Since this is a self-signed certificate, there is no CA, and you can safely ignore the warning and proceed. If you want to obtain a real certificate that will be recognized by anyone on the public internet, follow this procedure:

  1. Generate a private key.
  2. Use that private key to create a CSR file.
  3. Submit the CSR to a CA (such as Verisign or others).
  4. Install the received certificate from the CA on your web server.
  5. Add other certificates to the authentication chain depending on the type of certificate.