This is a guide to creating self-signed certificates using on . It provides easy “cut and paste” code that you will need to generate your first key pair. After creating your first set of keys, you should have the confidence to create certificates for a variety of situations. keys are used everywhere these days and knowing how to generate them is an essential skill to posess for system admins, and an easy procedure for the hobbiest to pick up. SSL OpenSSL Linux RSA RSA certificates are used by many protocols and services, ranging from to . No matter what the application, being comfortable generating your own self-signed certificates easily, will dramatically change the way you approach your system. SSL HTTPS VPN SSL Below are the quick commands needed to get your certificate and key. If you are trying to create a certificate for Web ( ) you can take advantage of the free certificates that provides,. , its best to use Cloudflare or purchase a . SSL https signed Cloudflare Self-signing a certificate for web use, paticularly e-commerce, is a bad idea reputable signed certificate A signifies a trusted authority issuued it. This provides SEO benefits in addition to security. Visitors to your site will get warnings if you try to us a self-signed certificate. signed certificate . It is more than a disadvantage to try and use a self-signed certificate for a website Many trusted services insure their certificates against breaches. , a domain registrar and webhost, provideds up to $100,000. DNSRHINO insurance on SSL certificates If you need an SSL certificate for anything other than https – read on. All the commands below were run on 18.04 using and . If you don’t have , or want to take advantage of free cloud time, to signup witht and launch an 18.04 instance in a few clicks. If you are on a system use instead of . If you use a different distro, package manager, or you want to install from source: clone the files using , and view the file in the main directory called . Clone using the below commands: Ubuntu apt-get OpenSSL Linux click here Vultr Ubuntu RedHat/CentOS yum apt-get Linux OpenSSL git INSTALL OpenSSL How To Generate A SSL Certificate: <code style="box-sizing: inherit; -webkit-font-smoothing: antialiased; word-break: break-word; overflow-wrap: break-word; border: none; font-size: 0.9 em; line-height: inherit; margin: 0 px; padding: 0 px; text-align: inherit; font-family: monospace; background: transparent; border-radius: 0.2 rem; direction: ltr;">sudo su - apt-get updade apt-get install openssl</code> You should see an output similar to the output below. Many systems have installed already, so don’t be surprised if you have nothing to install. Use instead of if your system requires it. OpenSSL yum apt-get <code style= >Reading package lists... Done Building dependency tree Reading state information... Done Suggested packages: ca-certificates The following NEW packages will be installed: openssl upgraded, newly installed, to remove upgraded. Need to B/ kB of archives. After operation, , kB of additional disk space will be used. Selecting previously unselected package openssl. (Reading database ... files directories currently installed.) Preparing to unpack .../openssl_1 ubuntu2 ~ _amd64.deb ... Unpacking openssl ( ubuntu2 ~ ) ... Setting up openssl ( ubuntu2 ~ ) ... Processing triggers man-db ( ubuntu0 ) ... </code> "box-sizing: inherit; -webkit-font-smoothing: antialiased; word-break: break-word; overflow-wrap: break-word; border: none; font-size: 0.9em; line-height: inherit; margin: 0px; padding: 0px; text-align: inherit; font-family: monospace; background: transparent; border-radius: 0.2rem; direction: ltr;" 0 1 0 and 0 not get 0 613 this 1 251 77326 and .1 .1 -1 .1 18.04 .5 1.1 .1 -1 .1 18.04 .5 1.1 .1 -1 .1 18.04 .5 for 2.8 .3 -2 .1 The command below creates a certificate called , and a private key called . The certificates generate with the options below, are created without a passphrase, and are valid for 365 days. The values can be edited to match your specifications. ryanserver1.crt ryanserver1.key SSL Change the names of the .crt and .key outputs from to in the code below and run the commmand. ryanserver1 yourfilename <code style="box-sizing: inherit; -webkit-font-smoothing: antialiased; word-break: break-word; overflow-wrap: break-word; border: none; font-size: 0.9 em; line-height: inherit; margin: 0 px; padding: 0 px; text-align: inherit; font-family: monospace; background: transparent; border-radius: 0.2 rem; direction: ltr;">openssl req -newkey rsa:4096 -x509 -sha256 -days 365 -nodes -out ryanserver1.crt -keyout ryanserver1.key</code> You will be asked a number of questions relating to the owner of the certificate. For most non-production applications, you can simply hit enter a few times to accept the default values. The executed command should look like this: < style= >Generating a RSA private key .................................++++ ............................................................................................................................................................................................................................................................................++++ writing new private key to ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter , the field will be left blank. ----- Country Name ( letter ) [AU]:CA State or Province Name (full name) [Some-State]:ON Locality Name (eg, city) []:Toronto Organization Name (eg, company) [Internet Widgits Pty Ltd]:ryangeddes.com Organizational Unit Name (eg, section) []:Tech Common Name (e.g. server FQDN or YOUR name) []:ryangeddes.com Email Address []:ryan@ryangeddes.com</ > code "box-sizing: inherit; -webkit-font-smoothing: antialiased; word-break: break-word; overflow-wrap: break-word; border: none; font-size: 0.9em; line-height: inherit; margin: 0px; padding: 0px; text-align: inherit; font-family: monospace; background: transparent; border-radius: 0.2rem; direction: ltr;" 'ryanserver1.key' '.' 2 code code The certificate and key should now be in your current directory. Use to see a list of files, use to determine the full path to the files. To show the contents of the certificate and key use . Your application will require the full path to the certificates, you can move them with or you can link to their current position editing your applications config file. ls pwd cat SSL mv <code style= > la-usa-webserver:~# ls ryanserver1.crt ryanserver1.key usa-webserver:~# pwd /root la-usa-webserver:~# cat /root/ryanserver1.crt -----BEGIN CERTIFICATE----- MIIGBTCCA+ gAwIBAgIUEL4WY5mKGO5P0b0HQmiI/UjZdZ0wDQYJKoZIhvcNAQEL BQAwgZExCzAJBgNVBAYTAkNBMQswCQYDVQQIDAJPTjEQMA4GA1UEBwwHVG9yb250 bzEXMBUGA1UECgwOcnlhbmdlZGRlcy5jb20xDTALBgNVBAsMBFRlY2gxFzAVBgNV BAMMDnJ5YW5nZWRkZXMuY29tMSIwIAYJKoZIhvcNAQkBFhNyeWFuQHJ5YW5nZWRk ZXMuY29tMB4XDTIwMDQxNzIwMDUwN1oXDTIxMDQxNzIwMDUwN1owgZExCzAJBgNV BAYTAkNBMQswCQYDVQQIDAJPTjEQMA4GA1UEBwwHVG9yb250bzEXMBUGA1UECgwO cnlhbmdlZGRlcy5jb20xDTALBgNVBAsMBFRlY2gxFzAVBgNVBAMMDnJ5YW5nZWRk ZXMuY29tMSIwIAYJKoZIhvcNAQkBFhNyeWFuQHJ5YW5nZWRkZXMuY29tMIICIjAN BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAobfsWzwPJkouhX3uuB+OVkhVfvVi RfuiRzrFcd1Ttlb9d6IETRbGSYDVr47pBS9lw5HeVCvx8UVGH7R7+GFajiNrCf HuF5tHW6ZV6OiOWMPmzvqmHdrs01CUcqGG1ILMMnWFP3PnyRNDoVIddPzh1Kc3CG kRZ4/dglALy+ NiVaVHmWTgJWR/GqQmu/BGGhO4P6uPmj5lFFwAxNK27NXcDoKWd nClgfDnmDDZTq8dL8RbwRxHa/iij0+c7pBPtDTZUbSDVrqguCCPrix0zVezZnvef GZUr+Dki0Xgc90VVmiN7hzRkLspzYZGnQ+BIC6t6VQ9xK2MaXDwdjzwFt9d3BQI lTWzngCzBTmgPaAyKZcE9idqmhSRDM91RgsVaZvD4psegkr4O2OmeAcekxocajUw CiRc1pblHmHkNqrC0G6xfXv8JDBEFTdwUIGaE579JmdgkkwoqGeWZjlv0Cn3is2P pNyk+IkJ3jLJEOkO7Sq9votFhSDcug+GvyVQ9KuTKZDeOqgAj5SWIdywfGlH99M JueZREbKoF2icVquMSuJQNMAQNKyrlMnIMm0ABpS3AI7iRztJYlxfxIrjHrcHCI/ VzX+BBHQASDMRklXiveYoa3ITROoYjpEkaWJlHUz9eF3ixYisLISG9PI3SZVwF15 l4Bjni7cRLOB70UCAwEAAaNTMFEwHQYDVR0OBBYEFHszuFT6x6sdtmnFdFynj19M 1QMB8GA1UdIwQYMBaAFHszuFT6x6sdtmnFdFynj19M2f1QMA8GA1UdEwEB/wQF MAMBAf8wDQYJKoZIhvcNAQELBQADggIBAJnNc5/slFEtz1TIb4n/jKLwyfAHC2jY fNYq3JYix20ijo82MV8evEE9BoWe59whXJyR8vygn9q5I13+bLtOvfIlFzDGLac3 aYPYHk5NRv6hY5C25EfyLx7eEuPPFlnOt3C7WeesxelJ+l+WXEPnsSskxZrpqGfL EgUyGlO+DWsMovh6FkgJPYJx2Jfvs2hLf0Wsdo7TGSdQJBBky7iP1RpHtYM+zH5p FYyEUcbgTbnwB0/ TGBRWcWA0iSh3UIaBJoe2M5U0mMJ8f879B0DieJEt5HGkNs QtYUr8AjFUDeki09k1/PA2OtQFf1tgo8NSzHWXhUjREacWpM4ikQUnhOkcNneIBK jq8vssPeHyTfcnsMsK3DRENi3ey/HKqVrasvL8CjlQudYPVHdji0xzH+vWImp7pT yFdKgczVarigjikfhG3I35CkWeu3UPv05esaauaawPHTzgtgGvBCuu/ qkTghCme eTW3RCqpJW3V2BwksN/ENTnvq6gdKbOL4LT6cy8skDZTeFa77Mnwmi+oNz6c8ru9 qpS1wXn11V2wTX/M+M4vrrD7zet0NsPrpWpiomws3f80EYHBDUGNfgSI8f+bshcL engLobG9BkUKRs1EBSVpUhqEKk/DWyPCWVE2+oXytWlNkEMAI0gKBItmk/KEBC6 pJLSgd66+ZT5 -----END CERTIFICATE----- usa-webserver:~# cat /root/ryanserver1.key -----BEGIN PRIVATE KEY----- MIIJQQIBADANBgkqhkiG9w0BAQEFAASCCSswggknAgEAAoICAQCht+xbPA8mSi6F fe64H45WSFV+ WLThF+ JHOsVx3VO2Vv13ogRNFsZJgNWvjukFL2XDkd5UK/HxRU YftHv4YVqOI2sJ8e4Xm0dbplXo6I5Yw+bO+qYd2uzTUJRyoYbUgswydYU/c+fJE0 OhUh10/OHUpzcIaRFnj92CUAvL7g2JVpUeZZOAlZH8apCa78EYaE7g/q4+aPmUUX ADE0rbs1dwOgpZ2cKWB8OeYMNlOrx0vxFvBHEdr+KKPT5zukE+ NNlRtINWuqC4I I+uLHTNV7Nme95/UZlSv4OSLReBz3RVWaI3uHNGQuynNhkadD4EgLq3pVD3ErYxp cPB2PPAW313cFAiVNbOeALMFOaA9oDIplwT2J2qaFJEMz3VGCxVpm8Pimx6CSvg7 Y6Z4Bx6TGhxqNTAKJFzWluUeYeQ2qsLQbrF9e/wkMEQVN3BQgZoTnv0mZ2CSTCio Z5ZmOW/QKfeKzY/Sk3KT4iQneMskQ6Q7tKr2+i0WFINy6D4a/JVD0q5MpkN46qAC PlJYh3LB8aUf30wm55lERsqgXaJxWq4xK4lA0wBA0rKuUycgybQAGlLcAjuJHO0l iXF/EiuMetwcIj9XNf4EEdABIMxGSVeK95ihrchNE6hiOkSRpYmUdTP14XeLFiKw shIb08jdJlXAXXmXgGOeLtxEs4HvRQIDAQABAoICAEGGPjQxP4oqIHNiNSlRT+DR iJI1sQRLKBFSMEZgzL0oAMS8Z7Fg31BvQIcTCSNQbAkadgdHlBGDXyrPp8xkOiR xyaVpcNjZGakFOQhzerV518b0Hfes22yI70gooPHM6k/YV++lb0xx7u7lPhjPyiq YZIok72Rt3BS9Zs43rZHyzIjRwv7Un5UC7BOBiKID1MpCjYIJVElrwLExysrAWGG WWfr8tJlSXzMENP95yUA2VpUCwMgzvSQDuE7HcU7dZ8W1lppJWthJVWTCEsTh8tW k4k0xPCaqngm3l61JjdiVm7f1ZtQtQ7oZJux4m30H/zqe+SfHyGPRAz/JpL0pMt A+ Bo0WRW97OX8wvR7plPAIXzh2aDgQygj5S1cQtSOyYVgquLYZJuHthsgS/C+Ty AYLWgmA1jb0Y/ pcAZhCD6Gn6poO3EN07MXRXqCikAmUatEMF/cxi2Wj6T1tI4 jXbyBQt8Ys3lots7FoCV4nSHs100dOqRRjvTjPmSFW1dR3i2pMsGge25P0t1zyJe wKWHQDfH/ wxnA2JPS0mhP7CH1t0xLsfnhHgkK50DBfmiKgeIp3wybPAWgMV2pFt RB72Iu/ O0yy5B9mNiRA93UpMR7GXCp0f1ZMWHJy7w5S50gHgijlc38Z8pVAd4T +h9keZPonSz7Vazb2vQ5AoIBAQDOHXZ3XGd9+NnCBDFy1QD7PNGUkW7ywWlfRcFk Uo9Z2IHloQB9qC/kIhj27v/HFe0+WA5UBTOR3TIPzTqIdu1oBCWKov4cP5eXutYN WeYlmYFPYMEOaMjUisAtvcbcVIDqWkcLBpm7vPPLrtxAV6gaEgo4LTnFU/PDKkjd jP2l20vu66TB1ou7Ay2/Y9wuwaEydgee8kPK9v7ZF5VbU5DWpTNxSGnjXqyNAX5 EHmTMHwkjyfY2SmkjoxVNlesk8u0/Z0Z4uxT7TwV008YyFnFedQr/i3MJLJsR8uj EUOpLug3vbx1XC0mQMnbtujOPtlr/y8AjlbhsJavH64bsJirAoIBAQDI27iQpnqb KOuE0rRlLDTdWk7aSTYHcxWEKSOcdOuIXq/ zYc60DOJMzQ4G58b3WIKFgQCys wz7ZyEkIQcK9s1NGDNT7g/HU70FTvJSYHwHFEief0EEqI18yqgx++IGFdG5vTEwh K0cyKIuVI8JhulpD3M6oa4wwwUEVdgdPRVH0NgaKftZMq80BxygFIJU/v1a3chH9 dHF7MiEMXZEJdjpd+iIZaxnX/CVxpSIlADp92QDk7ZCpttgyMIQVihvSVE3EGwhx pVq4DRdwzBVL9wW/fSJNhQaoC70QpbYdFFV2q+ZcPxGk2p4RKrf1qyYgpMeOscBb luHbTEqIPXfPAoIBACWyOcJmwf7GDn1vauPHlSBd5S640oPPX8gu58nDV7hk4ozu vzo8ElY07j/rQhhVKEioriYrtVzOCaPeMwBWT+EgMQWD/dmIv97eKtvSP0dNJdsw pN5Px7snjTJQbRhK1DEIRcn8cQ1m52evGVUjMvlhp0DS9KfkTMa66wy6V3KYCz4Z ozn8tD+ qDandR529iA/EimxFfqSWO9HUgFptlCXNnPTw+ y8Ce7YARHQRTsXygI jo8YWIdiEsRa5foIJc96OstLN1G6J60OMn8j1VdKisVo/VNCuucW0mWGeMtuasYX C2qjaxZ97u0iLL3bvMQFrcD6R2WLeGOa9arWx3UCggEAYTAn4x4azz8CjvdhQF8e iUisROUN1pbx/ vkpkzQtuCSJ8E7KjT2r0tNto1glPeK0rRhQXBr7YBfxgMqi2s+ bon5rjiBSd4zQsQuCPWDtQOz2IaLU8Hx9hC9fIdZmopmKYwH76SsZZRKU9PYjmaK JL2F9bY+ LF1WRX5hwfgS5QQLqmBirwKt3idrtGN5MU6Umkj7YmteMVCL8k2woP3 rOtfHJ/upfvzulWQTKgJmHu+ awRybPFvsjxXX+qOb3k7mXKZyxpbowDFHGJORQW Xt+xTyZy4J5YAgkJCOSQ3QuKY+xb3irLD3sPjJoH6a6UqyILKTj/ WS536hW cwKCAQAuFuZ4PUALGYsuje5KJuBLXEioXPJTKpjhEF3MYWOAC6iJgH1ea9pokh1z WRnNro2sUqLpwwsj0h+Nlu1kiJrWkQHjwFB6Jpp8quwickWwfvq7S06LpnDRmo2/ zB6mWJCI66kLco1Uz0ARQoTkrkxL6NwlU5+ ykY/VCTSgptrKlae0vmTENeJrwET C1ZA66rjgVmr4eelWEjtES4lnSpDiI846c36aSw237Qvt3rPLmaxR/vGXx4frRCF ajpIKtydNBhScDWYvMDdiED3U0zD4UaXHDPkQyL3C6+le+ CcAgH7mb8e+ otSJb dfAlNgh3Tit5tX/O4cQr8mPSUkz -----END PRIVATE KEY----- </code> "box-sizing: inherit; -webkit-font-smoothing: antialiased; word-break: break-word; overflow-wrap: break-word; border: none; font-size: 0.9em; line-height: inherit; margin: 0px; padding: 0px; text-align: inherit; font-family: monospace; background: transparent; border-radius: 0.2rem; direction: ltr;" root@ root@ root@ 2 04 4 1 0 2f 11 9 2 root@ 9 6 0 6 7 3 9 68 3 50 5 508 0 3 0 7 0 7f 229 6 7 2 7 You now have a working self-signed key and certificate without a passphrase. To learn more about generating certificates and theadvanced options available using , be sure to visit the and read through the . SSL OpenSSL OpenSSL git repo OpenSSL docs