Generating SSL Certificates

If you would like to use an SSL certificate to secure a service but you do not require a CA-signed certificate, a valid (and free) solution is to sign your own certificates.

A common type of certificate that you can issue yourself is a self-signed certificate. Therefore, self-signed certificates should only be used if you do not need to prove your service’s identity to its users (e.g. non-production or non-public servers).

Generate a self-signed certificate

This command creates a 2048-bit private key (domain.key) and a self-signed certificate (domain.crt) from scratch:

1
2
3

$ openssl req \
       -newkey rsa:2048 -nodes -keyout domain.key \
       -x509 -days 365 -out domain.crt

• The -x509 option tells req to create a self-signed certificate.
• The -days 365 option specifies that the certificate will be valid for 365 days.
• A temporary CSR is generated to gather information to associate with the certificate.

Generate a self-signed certificate from a existing private key

This command creates a self-signed certificate (domain.crt) from an existing private key (domain.key):

1
2
3
4

$ openssl req \
       -key domain.key \
       -new \
       -x509 -days 365 -out domain.crt

• The -x509 option tells req to create a self-signed certificate.