book cover

OpenSSL Cookbook  3rd Edition

The definitive guide to using the OpenSSL command line for configuration and testing. Topics covered in this book include key and certificate management, server configuration, a step by step guide to creating a private CA, and testing of online services. Written by Ivan Ristić.

1.2.5 Signing Your Own Certificates

If you’re configuring a TLS server for your own use or for a quick test, sometimes you don’t want to go to a CA for a publicly trusted certificate. It’s much easier just to use a self-signed certificate.1

If you already have a CSR, create a certificate using the following command:

$ openssl x509 -req -days 365 -in fd.csr -signkey fd.key -out fd.crt
Signature ok
subject=C = GB, L = London, O = Feisty Duck Ltd, CN = www.feistyduck.com
Getting Private key
Enter pass phrase for fd.key: ****************

You don’t actually have to create a CSR in a separate step. The following command creates a self-signed certificate starting with a key alone:

$ openssl req -new -x509 -days 365 -key fd.key -out fd.crt

If you don’t wish to be asked any questions, use the -subj switch to provide the certificate subject information on the command line:

$ openssl req -new -x509 -days 365 -key fd.key -out fd.crt \
 -subj "/C=GB/L=London/O=Feisty Duck Ltd/CN=www.feistyduck.com"
1

To be honest, getting a valid public certificate quickly has become much easier since Let’s Encrypt started offering them for free in an automated fashion. We’re now seeing the rise of operating systems and even software packages that seamlessly integrate with Let’s Encrypt to provide public certificates out of the box. We’re not very far from the moment when creating self-signed certificates will be the option that requires more work.

< Prev
^ Table of Contents
Next >