# Petr Cizmar's Wiki

### Site Tools

linux:selfsigned_ssl_certificate

# Self-Signed SSL Certificate

This is a thing I need to do from time to time and I never remember, how to do it. That means that I need to use more permanent type of memory than the one I've got built in my own head. And this five-step howto will hopefully do.

cizmar@mysak:/tmp$openssl genrsa -out server.key 1024 Generating RSA private key, 1024 bit long modulus ............++++++ .............................++++++ e is 65537 (0x10001) This creates the private key, no other parameters are necessary, however, tweak it if you want another type of the cipher or another length of the key. ## Step 2: Generate a certificate signing request (CSR) cizmar@mysak:/tmp$ openssl req -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Maryland
Locality Name (eg, city) []:Germantown
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Petr Cizmar
Organizational Unit Name (eg, section) []:IT
Common Name (eg, YOUR name) []:server.cizmar.org

Please enter the following 'extra' attributes
to be sent with your certificate request
An optional company name []:

This step requires you to fill in a little form, my answers are used as an example. If the password is required (which I believe depends on the version of the SSL toolkit or the command-line parameters), continue to the next step, otherwise go over to step 4.

## Step 3: Remove the pass-phrase from key (if necessary)

cizmar@mysak:/tmp$cp server.key server.key.org cizmar@mysak:/tmp$ openssl rsa -in server.key.org -out server.key
writing RSA key

Remove the pass-phrase from the key so Apache (for example) doesn't ask for the password every time it's started.

## Step 4: Generate your self-signed certificate

cizmar@mysak:/tmp\$ openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Signature ok
Getting Private key