OpenSSL: How To Create Self-Signed Certificate

OpenSSL is a free, popular, robust, high quality, open source (Apache License) toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. It is available on multiple platforms (Linux, BSD & Windows). In short it means that you can use OpenSSL to easily create certificate signing request (csr file) for your server to request certificate from certification authority like Verisign, Thawte etc. You can also use OpenSSL to create self-signed certificate to use on your Apache web server, Dovecot and other SSL enabled services. Let’s look at how we can easily create a CSR using SSL and also how we can create a self-signed certificate using OpenSSL.

Creating a private key
First you need to create a private key which will be used to generate the CSR or self-signed certificate. Let’s create a private key file names ca.key of strength 1024 (very strong):
openssl genrsa -out ca.key 1024

This creates your private key in the file ca.key.

How to create a CSR to request certificate from external certification authority like Verisgn, Thawte etc.
Now let’s use it to create a CSR which you can use with external certification authorities:
openssl req -new -key ca.key -out ca.csr

This creates a CSR file named ca.csr using the ca.key key file. You can submit this file to certification authorty. They will use the data in this file to create a certificate for you.

Note: You will be asked several pieces of information as follows:

Country Name (2 letter code) [GB]:
State or Province Name (full name) [Berkshire]:
Locality Name (eg, city) [Newbury]:
Organization Name (eg, company) [My Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server’s hostname) []:
Email Address []:

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Answer them truthfully. Specify the domain name of your server as the Common Name. For example to generate a CSR for my domain https://taragana.com I must use taragana.com as the common name.

How to create self-signed certificate
You can create a self-signed certificate for your own servers using the procedure below:
openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt

Notes:
1. Replace 365 with the number of days you want the certificate to be valid.
2. You must first create a CSR (see above) before you run this command

The certificate will be saved in the file ca.crt. You can use this file in your software & services like apache httpd, postfix, dovecot etc.

Self-signed certificates will not be recognized by browsers (unless you are Verisign or Thawte). When accessing websites or services using such certificate user will be asked to accept / reject the certificate. Certificates signed by recognized external certification authority are automatically accepted by browsers.

Self-signed certificates are good for intranet, demo web sites etc. For commercial sites you should use an external certification authority.