Self-Signed SSL Certificates

Wednesday, February 15, 2006

Quite often I find myself needing to generate self-signed certificates for use with OpenSSL. There are only three steps required...

Generate a key file, named ssl.key for example:

openssl genrsa -out ssl.key 1024

Generate a Certificate Signing Request for the key, named ssl.csr in this example. You'll be asked a bunch of questions, when asked for Common Name (eg, YOUR name) be sure to enter the domain-name you're making the certificate for (such as www.foobar.edu).

openssl req -new -key ssl.key -out ssl.csr

Generate a signed certificate given the request and key, valid for 10 years (3650 days) and named ssl.crt in this example. When you're done, the ssl.key and ssl.crt files are what you usually need to install in your server.

openssl x509 -req -days 3650 -in ssl.csr -signkey ssl.key -out ssl.crt

As a bonus, here's how to view the contents of a certificate file named ssl.crt

openssl x509 -in ssl.crt -text