Create a self-signed SSL Certificate with OpenSSL

Mike Solomon

Creating a self-signed certificate with OpenSSL

OpenSSL comes installed with Mac OS X (but see below), as well as many Linux and Unix distributions. Creating a certificate with it is very easy.

OpenSSL commands

openssl genrsa -out key.pem 2048
openssl req -new -sha256 -key key.pem -out csr.csr
openssl req -x509 -sha256 -days 365 -key key.pem -in csr.csr -out certificate.pem
openssl req -in csr.csr -text -noout | grep -i "Signature.*SHA256" && echo "All is well" || echo "This certificate will stop working in 2017! You must update OpenSSL to generate a widely-compatible certificate"

The first OpenSSL command generates a 2048-bit (recommended) RSA private key.

The second command generates a Certificate Signing Request, which you could instead use to generate a CA-signed certificate. This step will ask you questions; be as accurate as you like since you probably aren’t getting this signed by a CA.

The third command generates a self-signed x509 certificate suitable for use on web servers. This is the file you were after all along, congrats!

The check at the end ensures you will be able to use your certificate beyond 2016. OpenSSL on OS X is currently insufficient, and will silently generate a SHA-1 certificate that will be rejected by browsers in 2017. Update using your package manager, or with Homebrew on a Mac and start the process over.

More about self-signed SSL certificates

Self-signed SSL certificates provide all of the encryption benefits of a certificate signed by a Certificate Authority (CA), but essentially none of the authentication benefits. This is obviously still useful, and I find them particularly nice for staging sites, in the early stages of a project, and for use behind CloudFlare.

Due the the lack of authentication, web browsers will display a warning to users attempting to connect to your site. If this is a production site or you don’t want this warning, you must get a certificate signed by a CA. Google “free SSL certificate” and you’ll easily find a free 1-year certificate.

ECC certificates

While I would not recommend an ECC (elliptical curve) certificate, I have a guide to create a self-signed ECC certificate. ECC is a relatively new kind of key, and can be used as an alternative to RSA which we used above.