Create a Self-Signed Certificate Using OpenSSL

This article covers how to create a self-signed certificate using OpenSSL.

• Self-signed certificates can be useful during software development, or for deployment of a web application to a low-risk internal network.
• Self-signed certificates should not be used for publicly facing servers.

Create a Self-Signed Cert and Private Key

• openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout private.key -out public.crt
  • req specifies that we want to use X.509 Certificate Signing Request (CSR) Management.
  • -x509 specifies that we want to output a self signed certificate instead of a certificate request.
  • -nodes tells OpenSSL not to encrypt the private key. This is important because the server will need to read it without user interaction.
  • -days 365 specifies the number of days to certify the certificate. In this example, we specify 365 days.
  • -newkey rsa:2048 creates a new certificate and new private key. In this example, we specify an RSA key of 2048 bits.
  • -keyout specifies the filename to write the private key to.
  • -out specifies the filename to write the certificate to.

View the Private Key

• openssl rsa -noout -text -in private.key
  • The rsa command processes RSA keys.
  • -noout prevents output of the encoded version.
  • -text prints out the various public or private key components in plain text in addition to the encoded version.
  • -in specifies the input filename to read a key from.

View the Public Certificate

• openssl x509 -noout -text -in public.crt
  • The x509 command is used to display certificate information.
  • -noout prevents output of the encoded version.
  • -text prints out the certificate in text form.
  • -in specifies the input filename to read a certificate from.

Check Compatibility

• OpenSSL stores a modulus in both the private key and public certificate.

• We can check compatibility of the pair by comparing the the MD5 checksums of each modulus.

  openssl x509 -noout -modulus -in public.crt | openssl md5 > public.md5openssl rsa -noout -modulus -in private.key | openssl md5 > private.md5diff public.md5 private.md5

• If there are any differences in the md5 hashes, then the public cert and private key are not compatible.

Resources

• https://linux.die.net/man/1/req
• https://linux.die.net/man/1/x509
• https://linux.die.net/man/1/rsa
• https://www.openssl.org/docs/