How to create Self Signed SSL Certificate using OpenSSL

SSL Certificate is the digital certificate which authenticates the website and enables the secure communication between client( or browser) and website or server. SSL certificate contains the public key of the website and other identify information about website. SSL certificate is the digital certificate and it is also known as public key certificate or identity certificate since it acts as the electronic document to validate the authenticity of the public key

In asymmetric key

Generate Self-Signed Certificate

First we need to private key. Generate the RSA private key using the command as follows

openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:65537 -out cakey_private.pem

Using the key created, generate self signed certificate

openssl req -new -x509 -key cakey_private.pem -out cacert.pem -days 1024

You will be prompted to enter the details,

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) []:US
State or Province Name (full name) []:New Hampshire
Locality Name (eg, city) []:
Organization Name (eg, company) []:
Organizational Unit Name (eg, section) []:
Common Name (eg, fully qualified host name) []
Email Address []

Above single command can be written into 3 different commands by generating intermediate CSR (Certificate Signing Request)

openssl genrsa -out key.pem
openssl req -new -key key.pem -out csr.pem
openssl x509 -req -days 1024 -in csr.pem -signkey key.pem -out cert.pem

Command to create key along with CSR

openssl req -new -newkey rsa:2048 -nodes -keyout your_domain.key -out your_domain.csr

If required, public key can be extracted from generated private key as follows

openssl pkey -in private.pem -out pubkey.pem -pubout

Verify the Certificate against CA Certificate

openssl verify -CAfile cert-ca.crt cert-website.pem

Get the verbose output

openssl verify -verbose -CAfile cert-ca.crt  cert-wesite.pem


Default image
Naveen T aka neotam. Programming language agnostic, Software architect, Python expert, Networking & DevOps engineer & consultant with 7+ years of experience in creating serious web applications, real time event-driven non blocking applications and database driven applications ranging from small scale to enterprise grade. website
Leave a Reply