DEV Community

Cover image for OpenSSL generating self-signed certificates - part 2

Posted on

OpenSSL generating self-signed certificates - part 2

Fire and foremost one should understand that self-signed certificates are:

  • created and signed by its own creator rather than a trusted third-party certificate authority (CA). 
  • do not have a chain of trust linking them to a trusted root certificate authority (CA).
  • are standalone certificates that rely solely on the trust placed in them by the entity using them

In other words, the entity creating the certificate acts as both the issuer and the subject of the certificate.

Now, to generate a self-signed certificate with OpenSSL you should:

1) Generate private key:
openssl genpkey -algorithm RSA -out private.key

2) Generate a certificate request:
openssl req -new -key private.key -out csr.pem

You'll be prompted to enter information (that will be incorporated into your certificate request)such as:

Country Name (2 letter code), Organization Name (eg, company),Common Name (e.g. server FQDN or YOUR name), Issuer.

After successfully running the previous commands you should have two files a private key and a certificate signing request.

Image description

3) Generate the self-signed PEM certificate (valid for 365 days) using the private key and the CSR:

openssl x509 -req -days 365 -in csr.pem -signkey private.key -out certificate.pem
Enter fullscreen mode Exit fullscreen mode

Now you should have certificate.pem file which represents the generated PEM certificate. That was it, for a short introduction to OpenSSL and its capabilities check OpenSSL a swiss army knife - part1

Bonus: If you're interested in how to check if a private key matches the corresponding public key used in a certificate

Top comments (0)