BestHub
Sign in
Information Security 4 min read

How to Generate Self‑Signed SSL Certificates with OpenSSL: Step‑by‑Step Guide

This guide walks you through using OpenSSL to create a private key, generate a certificate signing request, configure extensions, and produce a self‑signed CA and server certificate, including commands for key encryption, password removal, and PEM/CRT output.

Liangxu Linux
Liangxu Linux
Liangxu Linux
How to Generate Self‑Signed SSL Certificates with OpenSSL: Step‑by‑Step Guide

Tool Overview

OpenSSL implements the SSL/TLS protocols. key – private key file used to encrypt data sent to the client and decrypt data received from the client. csr – Certificate Signing Request, submitted to a Certificate Authority (CA) for signing. crt – Certificate signed by a CA (or self‑signed), containing the holder’s information, public key, and the CA’s signature.

Step 1 – Generate a Self‑Signed CA Certificate

Generate a private key (encrypted with DES‑3) openssl genrsa -des3 -out myCA.key 2048 Explanation: genrsa creates an RSA private key; the public key is derived from it. -des3 applies DES‑3 encryption to protect the key. 2048 sets the key length.

Adding -nodes would skip encryption, eliminating the need for the next step.

Remove the password from the private key (optional) openssl rsa -in myCA.key -out myCA.key Generate a PEM‑formatted self‑signed CA certificate

openssl req -utf8 -x509 -new -nodes -key myCA.key -sha256 -days 825 -out myCA.pem

Step 2 – Create a CA‑Signed Server Certificate

Generate the server private key openssl genrsa -out server.key 2048 Create a Certificate Signing Request (CSR)

openssl req -new -key server.key -out server.csr

Note: The Common Name (CN) should match the domain name; otherwise browsers will show a warning.

Prepare an extension file for the certificate

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = www.baidu.com
DNS.2 = www.sougou.com
IP.1 = 192.168.1.1

Chrome checks the subjectAltName field to verify that the domain is listed; the default generation step does not set this field.

Sign the server certificate with the CA

openssl x509 -req -in server.csr -CA myCA.pem -CAkey myCA.key -CAcreateserial -out server.crt -days 3650 -sha256 -extfile server.ext

The resulting files are: server.crt – the signed server certificate. server.key – the server private key.

Source: https://www.cnblogs.com/xiongzaiqiren/p/15927932.html
Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

command-lineOpenSSLTLSSSLSelf‑Signed
Liangxu Linux
Written by

Liangxu Linux

Liangxu, a self‑taught IT professional now working as a Linux development engineer at a Fortune 500 multinational, shares extensive Linux knowledge—fundamentals, applications, tools, plus Git, databases, Raspberry Pi, etc. (Reply “Linux” to receive essential resources.)

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment