User Tools

Site Tools


Self-Signed SSL Certificate

This is a thing I need to do from time to time and I never remember, how to do it. That means that I need to use more permanent type of memory than the one I've got built in my own head. And this five-step howto will hopefully do.

Step 1: Create a private key

cizmar@mysak:/tmp$ openssl genrsa -out server.key 1024
Generating RSA private key, 1024 bit long modulus
e is 65537 (0x10001)

This creates the private key, no other parameters are necessary, however, tweak it if you want another type of the cipher or another length of the key.

Step 2: Generate a certificate signing request (CSR)

cizmar@mysak:/tmp$ openssl req -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Maryland
Locality Name (eg, city) []:Germantown
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Petr Cizmar
Organizational Unit Name (eg, section) []:IT
Common Name (eg, YOUR name) []
Email Address []:my_address(at)

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

This step requires you to fill in a little form, my answers are used as an example. If the password is required (which I believe depends on the version of the SSL toolkit or the command-line parameters), continue to the next step, otherwise go over to step 4.

Step 3: Remove the pass-phrase from key (if necessary)

cizmar@mysak:/tmp$ cp server.key
cizmar@mysak:/tmp$ openssl rsa -in -out server.key
writing RSA key

Remove the pass-phrase from the key so Apache (for example) doesn't ask for the password every time it's started.

Step 4: Generate your self-signed certificate

cizmar@mysak:/tmp$ openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Signature ok
subject=/C=US/ST=Maryland/L=Germantown/O=Petr Cizmar/OU=IT/
Getting Private key

Easy peasy, no parameters needed.

Step 5: Use it

Now, we've got the certificate.Copy the obtaind files somewhere, where it makes sense, like server.crt to /etc/ssl/certs and server.key to /etc/ssl/private. Then point the apache, dovecot, or whatever configuration files you need to them.

linux/selfsigned_ssl_certificate.txt · Last modified: 2017/05/16 11:10 (external edit)