paint-brush
How To Create A Self-Signed SSL Certificate On Linuxby@ryan-geddes
414 reads
414 reads

How To Create A Self-Signed SSL Certificate On Linux

by Ryan GeddesMay 8th, 2020
Read on Terminal Reader
Read this story w/o Javascript
tldt arrow

Too Long; Didn't Read

How To Create A Self-Signed SSL Certificate On Linux is a guide to creating self-signed SSL certificates using OpenSSL on Linux. It provides easy “cut and paste” code that you will need to generate your first RSA key pair. After creating your first set of keys, you should have the confidence to create certificates for a variety of situations. If you are trying to create a certificate for Web (https) you can take advantage of the free signed certificates that Cloudflare provides. Self-signing a. certificate for web use, paticularly e-commerce, is a bad idea.

Companies Mentioned

Mention Thumbnail
Mention Thumbnail
featured image - How To Create A Self-Signed SSL Certificate On Linux
Ryan Geddes HackerNoon profile picture

This is a guide to creating self-signed SSL certificates using OpenSSL on Linux. It provides easy “cut and paste” code that you will need to generate your first RSA key pair. After creating your first set of keys, you should have the confidence to create certificates for a variety of situations. RSA keys are used everywhere these days and knowing how to generate them is an essential skill to posess for system admins, and an easy procedure for the hobbiest to pick up.

SSL certificates are used by many protocols and services, ranging from HTTPS to VPN. No matter what the application, being comfortable generating your own self-signed SSL certificates easily, will dramatically change the way you approach your system.

Below are the quick commands needed to get your SSL certificate and key. If you are trying to create a certificate for Web (https) you can take advantage of the free signed certificates that Cloudflare provides,. Self-signing a certificate for web use, paticularly e-commerce, is a bad idea, its best to use Cloudflare or purchase a reputable signed certificate.

signed certificate signifies a trusted authority issuued it. This provides SEO benefits in addition to security. Visitors to your site will get warnings if you try to us a self-signed certificate.

It is more than a disadvantage to try and use a self-signed certificate for a website.

Many trusted services insure their certificates against breaches. DNSRHINO, a domain registrar and webhost, provideds insurance on SSL certificates up to $100,000.

If you need an SSL certificate for anything other than https – read on.

All the commands below were run on Ubuntu 18.04 using apt-get and OpenSSL. If you don’t have Linux, or want to take advantage of free cloud time, click here to signup witht Vultr and launch an Ubuntu 18.04 instance in a few clicks. If you are on a RedHat/CentOS system use yum instead of apt-get. If you use a different Linux distro, package manager, or you want to install OpenSSL from source: clone the files using git, and view the file in the main directory called INSTALL. Clone OpenSSL using the below commands:

How To Generate A SSL Certificate:

<code style="box-sizing: inherit; -webkit-font-smoothing: antialiased; word-break: break-word; overflow-wrap: break-word; border: none; font-size: 0.9em; line-height: inherit; margin: 0px; padding: 0px; text-align: inherit; font-family: monospace; background: transparent; border-radius: 0.2rem; direction: ltr;">sudo su -
apt-get updade
apt-get install openssl</code>

You should see an output similar to the output below. Many systems have OpenSSL installed already, so don’t be surprised if you have nothing to install. Use yum instead of apt-get if your system requires it.

<code style="box-sizing: inherit; -webkit-font-smoothing: antialiased; word-break: break-word; overflow-wrap: break-word; border: none; font-size: 0.9em; line-height: inherit; margin: 0px; padding: 0px; text-align: inherit; font-family: monospace; background: transparent; border-radius: 0.2rem; direction: ltr;">Reading package lists... Done
Building dependency tree
Reading state information... Done
Suggested packages:
  ca-certificates
The following NEW packages will be installed:
  openssl
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 0 B/613 kB of archives.
After this operation, 1,251 kB of additional disk space will be used.
Selecting previously unselected package openssl.
(Reading database ... 77326 files and directories currently installed.)
Preparing to unpack .../openssl_1.1.1-1ubuntu2.1~18.04.5_amd64.deb ...
Unpacking openssl (1.1.1-1ubuntu2.1~18.04.5) ...
Setting up openssl (1.1.1-1ubuntu2.1~18.04.5) ...
Processing triggers for man-db (2.8.3-2ubuntu0.1) ...


</code>

The command below creates a certificate called ryanserver1.crt, and a private key called ryanserver1.key. The SSL certificates generate with the options below, are created without a passphrase, and are valid for 365 days. The values can be edited to match your specifications.

Change the names of the .crt and .key outputs from ryanserver1 to yourfilename in the code below and run the commmand.

<code style="box-sizing: inherit; -webkit-font-smoothing: antialiased; word-break: break-word; overflow-wrap: break-word; border: none; font-size: 0.9em; line-height: inherit; margin: 0px; padding: 0px; text-align: inherit; font-family: monospace; background: transparent; border-radius: 0.2rem; direction: ltr;">openssl req -newkey rsa:4096 -x509 -sha256 -days 365 -nodes -out ryanserver1.crt -keyout ryanserver1.key</code>

You will be asked a number of questions relating to the owner of the certificate. For most non-production applications, you can simply hit enter a few times to accept the default values. The executed command should look like this:

<code style="box-sizing: inherit; -webkit-font-smoothing: antialiased; word-break: break-word; overflow-wrap: break-word; border: none; font-size: 0.9em; line-height: inherit; margin: 0px; padding: 0px; text-align: inherit; font-family: monospace; background: transparent; border-radius: 0.2rem; direction: ltr;">Generating a RSA private key
.................................++++
............................................................................................................................................................................................................................................................................++++
writing new private key to 'ryanserver1.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CA
State or Province Name (full name) [Some-State]:ON
Locality Name (eg, city) []:Toronto
Organization Name (eg, company) [Internet Widgits Pty Ltd]:ryangeddes.com
Organizational Unit Name (eg, section) []:Tech
Common Name (e.g. server FQDN or YOUR name) []:ryangeddes.com
Email Address []:[email protected]</code>

The certificate and key should now be in your current directory. Use ls to see a list of files, use pwd to determine the full path to the files. To show the contents of the certificate and key use cat. Your application will require the full path to the SSL certificates, you can move them with mv or you can link to their current position editing your applications config file.

<code style="box-sizing: inherit; -webkit-font-smoothing: antialiased; word-break: break-word; overflow-wrap: break-word; border: none; font-size: 0.9em; line-height: inherit; margin: 0px; padding: 0px; text-align: inherit; font-family: monospace; background: transparent; border-radius: 0.2rem; direction: ltr;">root@la-usa-webserver:~# ls
ryanserver1.crt  ryanserver1.key
root@usa-webserver:~# pwd
/root
root@la-usa-webserver:~# cat /root/ryanserver1.crt
-----BEGIN CERTIFICATE-----
MIIGBTCCA+2gAwIBAgIUEL4WY5mKGO5P0b0HQmiI/UjZdZ0wDQYJKoZIhvcNAQEL
BQAwgZExCzAJBgNVBAYTAkNBMQswCQYDVQQIDAJPTjEQMA4GA1UEBwwHVG9yb250
bzEXMBUGA1UECgwOcnlhbmdlZGRlcy5jb20xDTALBgNVBAsMBFRlY2gxFzAVBgNV
BAMMDnJ5YW5nZWRkZXMuY29tMSIwIAYJKoZIhvcNAQkBFhNyeWFuQHJ5YW5nZWRk
ZXMuY29tMB4XDTIwMDQxNzIwMDUwN1oXDTIxMDQxNzIwMDUwN1owgZExCzAJBgNV
BAYTAkNBMQswCQYDVQQIDAJPTjEQMA4GA1UEBwwHVG9yb250bzEXMBUGA1UECgwO
cnlhbmdlZGRlcy5jb20xDTALBgNVBAsMBFRlY2gxFzAVBgNVBAMMDnJ5YW5nZWRk
ZXMuY29tMSIwIAYJKoZIhvcNAQkBFhNyeWFuQHJ5YW5nZWRkZXMuY29tMIICIjAN
BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAobfsWzwPJkouhX3uuB+OVkhVfvVi
04RfuiRzrFcd1Ttlb9d6IETRbGSYDVr47pBS9lw5HeVCvx8UVGH7R7+GFajiNrCf
HuF5tHW6ZV6OiOWMPmzvqmHdrs01CUcqGG1ILMMnWFP3PnyRNDoVIddPzh1Kc3CG
kRZ4/dglALy+4NiVaVHmWTgJWR/GqQmu/BGGhO4P6uPmj5lFFwAxNK27NXcDoKWd
nClgfDnmDDZTq8dL8RbwRxHa/iij0+c7pBPtDTZUbSDVrqguCCPrix0zVezZnvef
1GZUr+Dki0Xgc90VVmiN7hzRkLspzYZGnQ+BIC6t6VQ9xK2MaXDwdjzwFt9d3BQI
lTWzngCzBTmgPaAyKZcE9idqmhSRDM91RgsVaZvD4psegkr4O2OmeAcekxocajUw
CiRc1pblHmHkNqrC0G6xfXv8JDBEFTdwUIGaE579JmdgkkwoqGeWZjlv0Cn3is2P
0pNyk+IkJ3jLJEOkO7Sq9votFhSDcug+GvyVQ9KuTKZDeOqgAj5SWIdywfGlH99M
JueZREbKoF2icVquMSuJQNMAQNKyrlMnIMm0ABpS3AI7iRztJYlxfxIrjHrcHCI/
VzX+BBHQASDMRklXiveYoa3ITROoYjpEkaWJlHUz9eF3ixYisLISG9PI3SZVwF15
l4Bjni7cRLOB70UCAwEAAaNTMFEwHQYDVR0OBBYEFHszuFT6x6sdtmnFdFynj19M
2f1QMB8GA1UdIwQYMBaAFHszuFT6x6sdtmnFdFynj19M2f1QMA8GA1UdEwEB/wQF
MAMBAf8wDQYJKoZIhvcNAQELBQADggIBAJnNc5/slFEtz1TIb4n/jKLwyfAHC2jY
fNYq3JYix20ijo82MV8evEE9BoWe59whXJyR8vygn9q5I13+bLtOvfIlFzDGLac3
aYPYHk5NRv6hY5C25EfyLx7eEuPPFlnOt3C7WeesxelJ+l+WXEPnsSskxZrpqGfL
EgUyGlO+DWsMovh6FkgJPYJx2Jfvs2hLf0Wsdo7TGSdQJBBky7iP1RpHtYM+zH5p
FYyEUcbgTbnwB0/11TGBRWcWA0iSh3UIaBJoe2M5U0mMJ8f879B0DieJEt5HGkNs
QtYUr8AjFUDeki09k1/PA2OtQFf1tgo8NSzHWXhUjREacWpM4ikQUnhOkcNneIBK
jq8vssPeHyTfcnsMsK3DRENi3ey/HKqVrasvL8CjlQudYPVHdji0xzH+vWImp7pT
yFdKgczVarigjikfhG3I35CkWeu3UPv05esaauaawPHTzgtgGvBCuu/9qkTghCme
eTW3RCqpJW3V2BwksN/ENTnvq6gdKbOL4LT6cy8skDZTeFa77Mnwmi+oNz6c8ru9
qpS1wXn11V2wTX/M+M4vrrD7zet0NsPrpWpiomws3f80EYHBDUGNfgSI8f+bshcL
2engLobG9BkUKRs1EBSVpUhqEKk/DWyPCWVE2+oXytWlNkEMAI0gKBItmk/KEBC6
pJLSgd66+ZT5
-----END CERTIFICATE-----
root@usa-webserver:~# cat /root/ryanserver1.key
-----BEGIN PRIVATE KEY-----
MIIJQQIBADANBgkqhkiG9w0BAQEFAASCCSswggknAgEAAoICAQCht+xbPA8mSi6F
fe64H45WSFV+9WLThF+6JHOsVx3VO2Vv13ogRNFsZJgNWvjukFL2XDkd5UK/HxRU
YftHv4YVqOI2sJ8e4Xm0dbplXo6I5Yw+bO+qYd2uzTUJRyoYbUgswydYU/c+fJE0
OhUh10/OHUpzcIaRFnj92CUAvL7g2JVpUeZZOAlZH8apCa78EYaE7g/q4+aPmUUX
ADE0rbs1dwOgpZ2cKWB8OeYMNlOrx0vxFvBHEdr+KKPT5zukE+0NNlRtINWuqC4I
I+uLHTNV7Nme95/UZlSv4OSLReBz3RVWaI3uHNGQuynNhkadD4EgLq3pVD3ErYxp
cPB2PPAW313cFAiVNbOeALMFOaA9oDIplwT2J2qaFJEMz3VGCxVpm8Pimx6CSvg7
Y6Z4Bx6TGhxqNTAKJFzWluUeYeQ2qsLQbrF9e/wkMEQVN3BQgZoTnv0mZ2CSTCio
Z5ZmOW/QKfeKzY/Sk3KT4iQneMskQ6Q7tKr2+i0WFINy6D4a/JVD0q5MpkN46qAC
PlJYh3LB8aUf30wm55lERsqgXaJxWq4xK4lA0wBA0rKuUycgybQAGlLcAjuJHO0l
iXF/EiuMetwcIj9XNf4EEdABIMxGSVeK95ihrchNE6hiOkSRpYmUdTP14XeLFiKw
shIb08jdJlXAXXmXgGOeLtxEs4HvRQIDAQABAoICAEGGPjQxP4oqIHNiNSlRT+DR
6iJI1sQRLKBFSMEZgzL0oAMS8Z7Fg31BvQIcTCSNQbAkadgdHlBGDXyrPp8xkOiR
xyaVpcNjZGakFOQhzerV518b0Hfes22yI70gooPHM6k/YV++lb0xx7u7lPhjPyiq
YZIok72Rt3BS9Zs43rZHyzIjRwv7Un5UC7BOBiKID1MpCjYIJVElrwLExysrAWGG
WWfr8tJlSXzMENP95yUA2VpUCwMgzvSQDuE7HcU7dZ8W1lppJWthJVWTCEsTh8tW
7k4k0xPCaqngm3l61JjdiVm7f1ZtQtQ7oZJux4m30H/zqe+SfHyGPRAz/JpL0pMt
A+3Bo0WRW97OX8wvR7plPAIXzh2aDgQygj5S1cQtSOyYVgquLYZJuHthsgS/C+Ty
9AYLWgmA1jb0Y/68pcAZhCD6Gn6poO3EN07MXRXqCikAmUatEMF/cxi2Wj6T1tI4
jXbyBQt8Ys3lots7FoCV4nSHs100dOqRRjvTjPmSFW1dR3i2pMsGge25P0t1zyJe
wKWHQDfH/3wxnA2JPS0mhP7CH1t0xLsfnhHgkK50DBfmiKgeIp3wybPAWgMV2pFt
RB72Iu/50O0yy5B9mNiRA93UpMR7GXCp0f1ZMWHJy7w5S50gHgijlc38Z8pVAd4T
+h9keZPonSz7Vazb2vQ5AoIBAQDOHXZ3XGd9+NnCBDFy1QD7PNGUkW7ywWlfRcFk
Uo9Z2IHloQB9qC/kIhj27v/HFe0+WA5UBTOR3TIPzTqIdu1oBCWKov4cP5eXutYN
WeYlmYFPYMEOaMjUisAtvcbcVIDqWkcLBpm7vPPLrtxAV6gaEgo4LTnFU/PDKkjd
5jP2l20vu66TB1ou7Ay2/Y9wuwaEydgee8kPK9v7ZF5VbU5DWpTNxSGnjXqyNAX5
EHmTMHwkjyfY2SmkjoxVNlesk8u0/Z0Z4uxT7TwV008YyFnFedQr/i3MJLJsR8uj
EUOpLug3vbx1XC0mQMnbtujOPtlr/y8AjlbhsJavH64bsJirAoIBAQDI27iQpnqb
KOuE0rRlLDTdWk7aSTYHcxWEKSOcdOuIXq/508zYc60DOJMzQ4G58b3WIKFgQCys
wz7ZyEkIQcK9s1NGDNT7g/HU70FTvJSYHwHFEief0EEqI18yqgx++IGFdG5vTEwh
K0cyKIuVI8JhulpD3M6oa4wwwUEVdgdPRVH0NgaKftZMq80BxygFIJU/v1a3chH9
dHF7MiEMXZEJdjpd+iIZaxnX/CVxpSIlADp92QDk7ZCpttgyMIQVihvSVE3EGwhx
pVq4DRdwzBVL9wW/fSJNhQaoC70QpbYdFFV2q+ZcPxGk2p4RKrf1qyYgpMeOscBb
luHbTEqIPXfPAoIBACWyOcJmwf7GDn1vauPHlSBd5S640oPPX8gu58nDV7hk4ozu
vzo8ElY07j/rQhhVKEioriYrtVzOCaPeMwBWT+EgMQWD/dmIv97eKtvSP0dNJdsw
pN5Px7snjTJQbRhK1DEIRcn8cQ1m52evGVUjMvlhp0DS9KfkTMa66wy6V3KYCz4Z
ozn8tD+0qDandR529iA/EimxFfqSWO9HUgFptlCXNnPTw+3y8Ce7YARHQRTsXygI
jo8YWIdiEsRa5foIJc96OstLN1G6J60OMn8j1VdKisVo/VNCuucW0mWGeMtuasYX
C2qjaxZ97u0iLL3bvMQFrcD6R2WLeGOa9arWx3UCggEAYTAn4x4azz8CjvdhQF8e
iUisROUN1pbx/0vkpkzQtuCSJ8E7KjT2r0tNto1glPeK0rRhQXBr7YBfxgMqi2s+
bon5rjiBSd4zQsQuCPWDtQOz2IaLU8Hx9hC9fIdZmopmKYwH76SsZZRKU9PYjmaK
JL2F9bY+7LF1WRX5hwfgS5QQLqmBirwKt3idrtGN5MU6Umkj7YmteMVCL8k2woP3
rOtfHJ/upfvzulWQTKgJmHu+0awRybPFvsjxXX+qOb3k7mXKZyxpbowDFHGJORQW
7fXt+xTyZy4J5YAgkJCOSQ3QuKY+xb3irLD3sPjJoH6a6UqyILKTj/229WS536hW
cwKCAQAuFuZ4PUALGYsuje5KJuBLXEioXPJTKpjhEF3MYWOAC6iJgH1ea9pokh1z
WRnNro2sUqLpwwsj0h+Nlu1kiJrWkQHjwFB6Jpp8quwickWwfvq7S06LpnDRmo2/
zB6mWJCI66kLco1Uz0ARQoTkrkxL6NwlU5+6ykY/VCTSgptrKlae0vmTENeJrwET
C1ZA66rjgVmr4eelWEjtES4lnSpDiI846c36aSw237Qvt3rPLmaxR/vGXx4frRCF
ajpIKtydNBhScDWYvMDdiED3U0zD4UaXHDPkQyL3C6+le+7CcAgH7mb8e+2otSJb
7dfAlNgh3Tit5tX/O4cQr8mPSUkz
-----END PRIVATE KEY-----
</code>

You now have a working self-signed key and certificate without a passphrase. To learn more about generating SSL certificates and theadvanced options available using OpenSSL, be sure to visit the OpenSSL git repo and read through the OpenSSL docs.