How to Create Self-Signed SSL Certificates

LogischerMix | Justin Hu included in engineering

2024-01-26 500 words 3 minutes

Contents

SSL Certificate

Securing your website or application has become increasingly crucial in today’s digital landscape where cyber crimes become ever more pervasive.

One common way to achieve security is through encryption. Symmetric and asymmetric encryption have been heavily studied in the field of Cryptograph and are widely used in the industry to help secure digital systems. SSL certificates, which build on top of asymmetric encryption, are often used to secure websites by ensuring data in transit between clients and web server are encrypted, thus private and secure.

Businesses,organizations, and developers usually get SSL certificates from public CA(Certificate Authority) who act as the Source of Trust for the internet. It might be necessary to create self-signed SSL certificates in some cases,such as testing, learning, development, or internal purposes.

This article serves as a simple guide on how to generate self-signed SSL certificates using OpenSSL.

Step-by-Step Guide

1: Install OpenSSL

There are tons of information available on the internet on how to install OpenSSL.

For Ubuntu or Debian-based system:

sudo apt install openssl

For CentOS, Fedora, or RHEL-based systems:

sudo yum install openssl

For MacOS

brew install openssl

2: Generate a Private Key

openssl genrsa -out test.key 2048

Run the command to generate a 2048-bit RSA private key (replace test.key with your file name):

Generating RSA private key, 2048 bit long modulus (2 primes)
..............+++++
.............+++++
e is 65537 (0x010001)

3: Create a Certificate Signing Request

A Certificate Signing Request(CSR) includes all information about your application and organization. Then a CSR can be used to generate the SSL certificate.

openssl req -new -key test.key -out test.csr

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CA
State or Province Name (full name) [Some-State]:Ontario 
Locality Name (eg, city) []:Toronto 
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Test 
Organizational Unit Name (eg, section) []:Test 
Common Name (e.g. server FQDN or YOUR name) []:test.com 
Email Address []:[email protected]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

4: Request the Self-signed SSL Certificate

openssl x509 -req -days 365 -in test.csr -signkey test.key -out test.crt

Command options and usage can be found at: https://www.openssl.org/docs/man1.1.1/man1/x509.html

Signature ok
subject=C = CA, ST = Ontario, L = Toronto, O = Test, OU = Test, CN = test.com, emailAddress = [email protected]
Getting Private key

5: Configure HTTPs Web Server

A self-signed SSL certificate is generated and can be used by the web server.

A popular choice is Nginx. And here is the example configuration of nginx HTTPs:

server {
    listen              443 ssl;
    server_name         www.example.com;
    ssl_certificate     www.example.com.crt;
    ssl_certificate_key www.example.com.key;
    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
    ssl_ciphers         HIGH:!aNULL:!MD5;
    ...
}