How to create a self-signed certificate with OpenSSL

Question

I m adding HTTPS support to an embedded Linux device  I have tried to generate a self-signed certificate with these steps   openssl req -new  gt  cert csr openssl rsa -in privkey pem -out key pem openssl x509 -in cert csr -out cert pem -req -signkey key pem -days 1001 cat key pem gt  gt cert pem   This works  but I get some errors with  for example  Google Chrome      This is probably not the site you are looking for    The site s security certificate is not trusted    Am I missing something  Is this the correct way to build a self-signed certificate

User · Answer

As has been discussed in detail  self-signed certificates are not trusted for the Internet  You can add your self-signed certificate to many but not all browsers  Alternatively you can become your own certificate authority   The primary reason one does not want to get a signed certificate from a certificate authority is cost -- Symantec charges between  995 -  1 999 per year for certificates -- just for a certificate intended for internal network  Symantec charges  399 per year  That cost is easy to justify if you are processing credit card payments or work for the profit center of a highly profitable company  It is more than many can afford for a personal project one is creating on the internet  or for a non-profit running on a minimal budget  or if one works in a cost center of an organization -- cost centers always try to do more with less   An alternative is to use certbot  see about certbot   Certbot is an easy-to-use automatic client that fetches and deploys SSL TLS certificates for your web server   If you setup certbot  you can enable it to create and maintain a certificate for you issued by the Let   s Encrypt certificate authority   I did this over the weekend for my organization  I installed the required packages for certbot on my server  Ubuntu 16 04  and then ran the command necessary to setup and enable certbot  One likely needs a DNS plugin for certbot - we are presently using DigitalOcean though may be migrating to another service soon   Note that some of the instructions were not quite right and took a little poking and time with Google to figure out  This took a fair amount of my time the first time but now I think I could do it in minutes   For DigitalOcean  one area I struggled was when I was prompted to input the path to your DigitalOcean credentials INI file  What the script is referring to is the Applications  amp  API page and the Tokens Key tab on that page  You need to have or generate a personal access token  read and write  for DigitalOcean s API -- this is a 65 character hexadecimal string  This string then needs to be put into a file on the webserver from which you are running certbot  That file can have a comment as its first line  comments start with     The seccond line is   dns digitalocean token   0000111122223333444455556666777788889999aaaabbbbccccddddeeeeffff   Once I figured out how to set up a read write token for DigitalOcean s API  it was pretty easy to use certbot to setup a wildcard certificate  Note that one does not have to setup a wildcard certificate  one may instead specify each domain and sub-domain that one wants the certificate to appply to  It was the wildcard certificate that required the credentials INI file that contained the personal access token from DigitalOcean   Note that public key certificates  also known as identity certificates or SSL certificates  expire and require renewal  Thus you will need to renew your certificate on a periodic  reoccurring  basis  The certbot documentation covers renewing certificates   My plan is to write a script to use the openssl command to get my certificate s expiration date and to trigger renewal when it is 30 days or less until it expires  I will then add this script to cron and run it once per day   Here is the command to read your certificate s expiration date   root prod-host     usr bin openssl x509 -enddate -noout -in path-to-certificate-pem-file notAfter May 25 19 24 12 2019 GMT

User · Answer

One-liner version 2017   CentOS   openssl req -x509 -nodes -sha256 -newkey rsa 2048   -keyout localhost key -out localhost crt   -days 3650   -subj  CN localhost    -reqexts SAN -extensions SAN   -config  lt  cat  etc pki tls openssl cnf  lt  printf   n SAN  nsubjectAltName IP 127 0 0 1 DNS localhost      Ubuntu   openssl req -x509 -nodes -sha256 -newkey rsa 2048   -keyout localhost key -out localhost crt   -days 3650   -subj   CN localhost    -reqexts SAN -extensions SAN   -config  lt  cat  etc ssl openssl cnf  lt  printf   n SAN  nsubjectAltName IP 127 0 0 1 DNS localhost      Edit  added prepending Slash to  subj  option for Ubuntu

User · Answer

Modern browsers now throw a security error for otherwise well-formed self-signed certificates if they are missing a SAN  Subject Alternate Name   OpenSSL does not provide a command-line way to specify this  so many developers  tutorials and bookmarks are suddenly outdated   The quickest way to get running again is a short  stand-alone conf file    Create an OpenSSL config file  example  req cnf    req  distinguished name   req distinguished name x509 extensions   v3 req prompt   no  req distinguished name  C   US ST   VA L   SomeCity O   MyCompany OU   MyDivision CN   www company com  v3 req  keyUsage   critical  digitalSignature  keyAgreement extendedKeyUsage   serverAuth subjectAltName    alt names  alt names  DNS 1   www company com DNS 2   company com DNS 3   company net  Create the certificate referencing this config file  openssl req -x509 -nodes -days 730 -newkey rsa 2048    -keyout cert key -out cert pem -config req cnf -sha256    Example config from https   support citrix com article CTX135602

User · Answer

openssl allows to generate self-signed certificate by a single command  -newkey instructs to generate a private key and -x509 instructs to issue a self-signed certificate instead of a signing request    openssl req -x509 -newkey rsa 4096   -keyout my key -passout pass 123456 -out my crt   -days 365   -subj  CN localhost O home C US emailAddress me mail internal   -addext  quot subjectAltName   DNS localhost DNS web internal email me mail internal quot    -addext keyUsage digitalSignature -addext extendedKeyUsage serverAuth  You can generate a private key and construct a self-signing certificate in separate steps   openssl genrsa -out my key -passout pass 123456 2048  openssl req -x509   -key my key -passin pass 123456 -out my csr   -days 3650   -subj  CN localhost O home C US emailAddress me mail internal   -addext  quot subjectAltName   DNS localhost DNS web internal email me mail internal quot    -addext keyUsage digitalSignature -addext extendedKeyUsage serverAuth  Review the resulting certificate   openssl x509 -text -noout -in my crt  Java keytool creates PKCS 12 store   keytool -genkeypair -keystore my p12 -alias master   -storetype pkcs12 -keyalg RSA -keysize 2048 -validity 3650   -storepass 123456   -dname  quot CN localhost O home C US quot    -ext  san dns localhost dns web internal email me mail internal   To export the self-signed certificate   keytool -exportcert -keystore my p12 -file my crt   -alias master -rfc -storepass 123456  Review the resulting certificate   keytool -printcert -file my crt  certtool from GnuTLS doesn t allow passing different attributes from CLI  I don t like to mess with config files

User · Answer

I would recommend to add the -sha256 parameter  to use the SHA-2 hash algorithm  because major browsers are considering to show  SHA-1 certificates  as not secure   The same command line from the accepted answer -  diegows with added -sha256     openssl req -x509 -sha256 -newkey rsa 2048 -keyout key pem -out cert pem -days XXX   More information in Google Security blog   Update May 2018  As many noted in the comments that using SHA-2 does not add any security to a self-signed certificate  But I still recommend using it as a good habit of not using outdated   insecure cryptographic hash functions  Full explanation is available in Why is it fine for certificates above the end-entity certificate to be SHA-1 based

User · Answer

You can do that in one command   openssl req -x509 -newkey rsa 4096 -keyout key pem -out cert pem -days 365   You can also add -nodes  short for no DES  if you don t want to protect your private key with a passphrase  Otherwise it will prompt you for  at least a 4 character  password   The days parameter  365  you can replace with any number to affect the expiration date  It will then prompt you for things like  Country Name   but you can just hit Enter and accept the defaults   Add -subj   CN localhost  to suppress questions about the contents of the certificate  replace localhost with your desired domain    Self-signed certificates are not validated with any third party unless you import them to the browsers previously  If you need more security  you should use a certificate signed by a certificate authority  CA

User · Answer

2017 one-liner   openssl req   -newkey rsa 2048   -x509   -nodes   -keyout server pem   -new   -out server pem   -subj  CN localhost   -reqexts SAN   -extensions SAN   -config  lt  cat  System Library OpenSSL openssl cnf        lt  printf   SAN  nsubjectAltName DNS localhost      -sha256   -days 3650   This also works in Chrome 57  as it provides the SAN  without having another configuration file  It was taken from an answer here   This creates a single  pem file that contains both the private key and cert  You can move them to separate  pem files if needed

User · Answer

This is the script I use on local boxes to set the SAN  subjectAltName  in self-signed certificates    This script takes the domain name  example com  and generates the SAN for   example com and example com in the same certificate  The sections below are commented  Name the script  e g  generate-ssl sh  and give it executable permissions  The files will be written to the same directory as the script   Chrome 58 an onward requires SAN to be set in self-signed certificates      usr bin env bash    Set the TLD domain we want to use BASE DOMAIN  example com     Days for the cert to live DAYS 1095    A blank passphrase PASSPHRASE       Generated configuration file CONFIG FILE  config txt   cat  gt   CONFIG FILE  lt  lt -EOF  req  default bits   2048 prompt   no default md   sha256 x509 extensions   v3 req distinguished name   dn   dn  C   CA ST   BC L   Vancouver O   Example Corp OU   Testing Domain emailAddress   webmaster  BASE DOMAIN CN    BASE DOMAIN   v3 req  subjectAltName    alt names   alt names  DNS 1      BASE DOMAIN DNS 2    BASE DOMAIN EOF    The file name can be anything FILE NAME   BASE DOMAIN     Remove previous keys echo  Removing existing certs like  FILE NAME    chmod 770  FILE NAME   rm  FILE NAME    echo  Generating certs for  BASE DOMAIN     Generate our Private Key  CSR and Certificate   Use SHA-2 as SHA-1 is unsupported from Jan 1  2017  openssl req -new -x509 -newkey rsa 2048 -sha256 -nodes -keyout   FILE NAME key  -days  DAYS -out   FILE NAME crt  -passin pass  PASSPHRASE -config   CONFIG FILE     OPTIONAL - write an info to see the details of the generated crt openssl x509 -noout -fingerprint -text  lt    FILE NAME crt   gt    FILE NAME info     Protect the key chmod 400   FILE NAME key    This script also writes an information file  so you can inspect the new certificate and verify the SAN is set properly                                       28 dd b8 1e 34 b5 b1 44 1a 60 6d e3 3c 5a c4                  da 3d             Exponent  65537  0x10001      X509v3 extensions          X509v3 Subject Alternative Name               DNS   example com  DNS example com Signature Algorithm  sha256WithRSAEncryption      3b 35 5a d6 9e 92 4f fc f4 f4 87 78 cd c7 8d cd 8c cc             If you are using Apache  then you can reference the above certificate in your configuration file like so    lt VirtualHost  default  443 gt      ServerName example com     ServerAlias www example com     DocumentRoot  var www htdocs      SSLEngine on     SSLCertificateFile path to your example com crt     SSLCertificateKeyFile path to your example com key  lt  VirtualHost gt    Remember to restart your Apache  or Nginx  or IIS  server for the new certificate to take effect

User · Answer

One liner FTW  I like to keep it simple  Why not use one command that contains ALL the arguments needed  This is how I like it - this creates an x509 certificate and its PEM key   openssl req -x509    -nodes -days 365 -newkey rsa 4096    -keyout self key pem    -out self-x509 crt    -subj   C US ST WA L Seattle CN example com emailAddress someEmail gmail com    That single command contains all the answers you would normally provide for the certificate details   This way you can set the parameters and run the command  get your output - then go for coffee      More here  lt  lt

User · Answer

Generate keys      I am using  etc mysql for cert storage because  etc apparmor d usr sbin mysqld contains  etc mysql   pem r   sudo su - cd  etc mysql openssl genrsa -out ca-key pem 2048  openssl req -new -x509 -nodes -days 1000 -key ca-key pem -out ca-cert pem  openssl req -newkey rsa 2048 -days 1000 -nodes -keyout server-key pem -out server-req pem  openssl x509 -req -in server-req pem -days 1000 -CA ca-cert pem -CAkey ca-key pem -set serial 01 -out server-cert pem  openssl req -newkey rsa 2048 -days 1000 -nodes -keyout client-key pem -out client-req pem  openssl x509 -req -in client-req pem -days 1000 -CA ca-cert pem -CAkey ca-key pem -set serial 01 -out client-cert pem        Add configuration       etc mysql my cnf   client  ssl-ca  etc mysql ca-cert pem ssl-cert  etc mysql client-cert pem ssl-key  etc mysql client-key pem   mysqld  ssl-ca  etc mysql ca-cert pem ssl-cert  etc mysql server-cert pem ssl-key  etc mysql server-key pem    On my setup  Ubuntu server logged to   var log mysql error log  Follow up notes    SSL error  Unable to get certificate from        MySQL might be denied read access to your certificate file if it is not in apparmors configuration  As mentioned in the previous steps   save all our certificates as  pem files in the  etc mysql  directory which is approved by default by apparmor  or modify your apparmor SELinux to allow access to wherever you stored them   SSL error  Unable to get private key  Your MySQL server version may not support the default rsa 2048 format  Convert generated rsa 2048 to plain rsa with   openssl rsa -in server-key pem -out server-key pem openssl rsa -in client-key pem -out client-key pem  Check if local server supports SSL    mysql -u root -p mysql gt  show variables like   ssl     --------------- ----------------------------    Variable name   Value                         --------------- ----------------------------    have openssl    YES                            have ssl        YES                            ssl ca           etc mysql ca-cert pem         ssl capath                                     ssl cert         etc mysql server-cert pem     ssl cipher                                     ssl key          etc mysql server-key pem     --------------- ----------------------------    Verifying a connection to the database is SSL encrypted      Verifying connection      When logged in to the MySQL instance  you can issue the query   show status like  Ssl cipher         If your connection is not encrypted  the result will be blank   mysql gt  show status like  Ssl cipher    --------------- -------    Variable name   Value    --------------- -------    Ssl cipher               --------------- -------  1 row in set  0 00 sec        Otherwise  it would show a non-zero length string for the cypher in use   mysql gt  show status like  Ssl cipher    --------------- --------------------    Variable name   Value                 --------------- --------------------    Ssl cipher      DHE-RSA-AES256-SHA    --------------- --------------------  1 row in set  0 00 sec    Require ssl for specific user s connection   require ssl           SSL         Tells the server to permit only SSL-encrypted connections for the account   GRANT ALL PRIVILEGES ON test   TO  root   localhost    REQUIRE SSL        To connect  the client must specify the --ssl-ca option to authenticate the server certificate  and may additionally specify the --ssl-key and --ssl-cert options  If neither --ssl-ca option nor --ssl-capath option is specified  the client does not authenticate the server certificate       Alternate link  Lengthy tutorial in Secure PHP Connections to MySQL with SSL

User · Answer

I can t comment so I add a separate answer  I tried to create a self-signed certificate for NGINX and it was easy  but when I wanted to add it to Chrome white list I had a problem  And my solution was to create a Root certificate and signed a child certificate by it  So step by step  Create file config ssl ca cnf Notice  config file has an option basicConstraints CA true which means that this certificate is supposed to be root   This is a good practice  because you create it once and can reuse     req   default bits   2048  prompt   no distinguished name req distinguished name req extensions   v3 req    req distinguished name   countryName UA stateOrProvinceName root region localityName root city organizationName Market localhost  organizationalUnitName roote department commonName market localhost emailAddress root email root localhost    alternate names   DNS 1          market localhost DNS 2          www market localhost DNS 3          mail market localhost DNS 4          ftp market localhost DNS 5            market localhost    v3 req   keyUsage digitalSignature basicConstraints CA true subjectKeyIdentifier   hash subjectAltName    alternate names  Next config file for your child certificate will be call config ssl cnf    req   default bits   2048  prompt   no distinguished name req distinguished name req extensions   v3 req    req distinguished name   countryName UA stateOrProvinceName Kyiv region localityName Kyiv organizationName market place organizationalUnitName market place department commonName market localhost emailAddress email market localhost    alternate names   DNS 1          market localhost DNS 2          www market localhost DNS 3          mail market localhost DNS 4          ftp market localhost DNS 5            market localhost    v3 req   keyUsage digitalSignature basicConstraints CA false subjectAltName    alternate names subjectKeyIdentifier   hash  The first step - create Root key and certificate openssl genrsa -out ca key 2048 openssl req -new -x509 -key ca key -out ca crt -days 365 -config config ssl ca cnf  The second step creates child key and file CSR - Certificate Signing Request  Because the idea is to sign the child certificate by root and get a correct certificate openssl genrsa -out market key 2048 openssl req -new -sha256 -key market key -config config ssl cnf -out market csr  Open Linux terminal and do this command echo 00  gt  ca srl touch index txt  The ca srl text file containing the next serial number to use in hex  Mandatory   This file must be present and contain a valid serial number  Last Step  crate one more config file and call it config ca cnf   we use  ca  as the default section because we re usign the ca command   ca   default ca   my ca    my ca      a text file containing the next serial number to use in hex  Mandatory     This file must be present and contain a valid serial number  serial     ca srl    the text database file to use  Mandatory  This file must be present though   initially it will be empty  database     index txt    specifies the directory where new certificates will be placed  Mandatory  new certs dir         the file containing the CA certificate  Mandatory certificate     ca crt    the file contaning the CA private key  Mandatory private key     ca key    the message digest algorithm  Remember to not use MD5 default md   sha256    for how many days will the signed certificate be valid default days   365    a section with a set of variables corresponding to DN fields policy   my policy    MOST IMPORTANT PART OF THIS CONFIG copy extensions   copy    my policy     if the value is  quot match quot  then the field value must match the same field in the   CA certificate  If the value is  quot supplied quot  then it must be present    Optional means it may be present  Any fields not mentioned are silently   deleted  countryName   match stateOrProvinceName   supplied organizationName   supplied commonName   market localhost organizationalUnitName   optional commonName   supplied  You may ask  why so difficult  why we must create one more config to sign child certificate by root  The answer is simple because child certificate must have a SAN block - Subject Alternative Names  If we sign the child certificate by  quot openssl x509 quot  utils  the Root certificate will delete the SAN field in child certificate  So we use  quot openssl ca quot  instead of  quot openssl x509 quot  to avoid the deleting of the SAN field  We create a new config file and tell it to copy all extended fields copy extensions   copy  openssl ca -config config ca cnf -out market crt -in market csr  The program asks you 2 questions   Sign the certificate  Say  quot Y quot  1 out of 1 certificate requests certified  commit  Say  quot Y quot   In terminal you can see a sentence with the word  quot Database quot   it means file index txt which you create by the command  quot touch quot   It will contain all information by all certificates you create by  quot openssl ca quot  util  To check the certificate valid use  openssl rsa -in market key -check  If you want to see what inside in CRT  openssl x509 -in market crt -text -noout  If you want to see what inside in CSR  openssl req -in market csr -noout -text

User · Answer

You have the general procedure correct  The syntax for the command is below   openssl req -new -key  private key file  -out  output file    However  the warnings are displayed  because the browser was not able to verify the identify by validating the certificate with a known Certificate Authority  CA     As this is a self-signed certificate there is no CA and you can safely ignore the warning and proceed  Should you want to get a real certificate that will be recognizable by anyone on the public Internet then the procedure is below    Generate a private key Use that private key to create a CSR file Submit CSR to CA  Verisign or others  etc   Install received cert from CA on web server Add other certs to authentication chain depending on the type cert   I have more details about this in a post at Securing the Connection  Creating a Security Certificate with OpenSSL

User · Answer

Am I missing something  Is this the correct way to build a self-signed certificate    It s easy to create a self-signed certificate  You just use the openssl req command  It can be tricky to create one that can be consumed by the largest selection of clients  like browsers and command line tools   It s difficult because the browsers have their own set of requirements  and they are more restrictive than the IETF  The requirements used by browsers are documented at the CA Browser Forums  see references below   The restrictions arise in two key areas   1  trust anchors  and  2  DNS names   Modern browsers  like the warez we re using in 2014 2015  want a certificate that chains back to a trust anchor  and they want DNS names to be presented in particular ways in the certificate  And browsers are actively moving against self-signed server certificates   Some browsers don t exactly make it easy to import a self-signed server certificate  In fact  you can t with some browsers  like Android s browser  So the complete solution is to become your own authority   In the absence of becoming your own authority  you have to get the DNS names right to give the certificate the greatest chance of success  But I would encourage you to become your own authority  It s easy to become your own authority  and it will sidestep all the trust issues  who better to trust than yourself          This is probably not the site you are looking for    The site s security certificate is not trusted    This is because browsers use a predefined list of trust anchors to validate server certificates  A self-signed certificate does not chain back to a trusted anchor   The best way to avoid this is    Create your own authority  i e   become a CA  Create a certificate signing request  CSR  for the server Sign the server s CSR with your CA key Install the server certificate on the server Install the CA certificate on the client   Step 1 - Create your own authority just means to create a self-signed certificate with CA  true and proper key usage  That means the Subject and Issuer are the same entity  CA is set to true in Basic Constraints  it should also be marked as critical   key usage is keyCertSign and crlSign  if you are using CRLs   and the Subject Key Identifier  SKI  is the same as the Authority Key Identifier  AKI    To become your own certificate authority  see  How do you sign a certificate signing request with your certification authority  on Stack Overflow  Then  import your CA into the Trust Store used by the browser   Steps 2 - 4 are roughly what you do now for a public facing server when you enlist the services of a CA like Startcom or CAcert  Steps 1 and 5 allows you to avoid the third-party authority  and act as your own authority  who better to trust than yourself     The next best way to avoid the browser warning is to trust the server s certificate  But some browsers  like Android s default browser  do not let you do it  So it will never work on the platform   The issue of browsers  and other similar user agents  not trusting self-signed certificates is going to be a big problem in the Internet of Things  IoT   For example  what is going to happen when you connect to your thermostat or refrigerator to program it  The answer is  nothing good as far as the user experience is concerned   The W3C s WebAppSec Working Group is starting to look at the issue   See  for example  Proposal  Marking HTTP As Non-Secure        How to create a self-signed certificate with OpenSSL   The commands below and the configuration file create a self-signed certificate  it also shows you how to create a signing request   They differ from other answers in one respect  the DNS names used for the self signed certificate are in the Subject Alternate Name  SAN   and not the Common Name  CN    The DNS names are placed in the SAN through the configuration file with the line subjectAltName    alternate names  there s no way to do it through the command line   Then there s an alternate names section in the configuration file  you should tune this to suit your taste      alternate names    DNS 1         example com DNS 2         www example com DNS 3         mail example com DNS 4         ftp example com    Add these if you need them  But usually you don t want them or     need them in production  You may need them for development    DNS 5         localhost   DNS 6         localhost localdomain   IP 1          127 0 0 1   IP 2            1   It s important to put DNS name in the SAN and not the CN  because both the IETF and the CA Browser Forums specify the practice  They also specify that DNS names in the CN are deprecated  but not prohibited   If you put a DNS name in the CN  then it must be included in the SAN under the CA B policies  So you can t avoid using the Subject Alternate Name   If you don t do put DNS names in the SAN  then the certificate will fail to validate under a browser and other user agents which follow the CA Browser Forum guidelines   Related  browsers follow the CA Browser Forum policies  and not the IETF policies  That s one of the reasons a certificate created with OpenSSL  which generally follows the IETF  sometimes does not validate under a browser  browsers follow the CA B   They are different standards  they have different issuing policies and different validation requirements     Create a self signed certificate  notice the addition of -x509 option    openssl req -config example-com conf -new -x509 -sha256 -newkey rsa 2048 -nodes       -keyout example-com key pem -days 365 -out example-com cert pem   Create a signing request  notice the lack of -x509 option    openssl req -config example-com conf -new -sha256 -newkey rsa 2048 -nodes       -keyout example-com key pem -days 365 -out example-com req pem   Print a self-signed certificate   openssl x509 -in example-com cert pem -text -noout   Print a signing request   openssl req -in example-com req pem -text -noout   Configuration file  passed via -config option     req   default bits          2048 default keyfile       server-key pem distinguished name    subject req extensions        req ext x509 extensions       x509 ext string mask           utf8only    The Subject DN can be formed using X501 or RFC 4514  see RFC 4519 for a description       Its sort of a mashup  For example  RFC 4514 does not provide emailAddress    subject   countryName           Country Name  2 letter code  countryName default       US  stateOrProvinceName       State or Province Name  full name  stateOrProvinceName default   NY  localityName              Locality Name  eg  city  localityName default          New York  organizationName           Organization Name  eg  company  organizationName default      Example  LLC    Use a friendly name here because it s presented to the user  The server s DNS     names are placed in Subject Alternate Names  Plus  DNS names here is deprecated     by both IETF and CA Browser Forums  If you place a DNS name here  then you     must include the DNS name in the SAN too  otherwise  Chrome and others that     strictly follow the CA Browser Baseline Requirements will fail   commonName            Common Name  e g  server FQDN or YOUR name  commonName default        Example Company  emailAddress              Email Address emailAddress default          test example com    Section x509 ext is used when generating a self-signed certificate  I e   openssl req -x509       x509 ext    subjectKeyIdentifier          hash authorityKeyIdentifier      keyid issuer    You only need digitalSignature below   If  you don t allow     RSA Key transport  i e   you use ephemeral cipher suites   then     omit keyEncipherment because that s key transport  basicConstraints          CA FALSE keyUsage              digitalSignature  keyEncipherment subjectAltName             alternate names nsComment              OpenSSL Generated Certificate     RFC 5280  Section 4 2 1 12 makes EKU optional     CA Browser Baseline Requirements  Appendix  B  3  G  makes me confused     In either case  you probably only need serverAuth    extendedKeyUsage      serverAuth  clientAuth    Section req ext is used when generating a certificate signing request  I e   openssl req       req ext    subjectKeyIdentifier          hash  basicConstraints          CA FALSE keyUsage              digitalSignature  keyEncipherment subjectAltName             alternate names nsComment              OpenSSL Generated Certificate     RFC 5280  Section 4 2 1 12 makes EKU optional     CA Browser Baseline Requirements  Appendix  B  3  G  makes me confused     In either case  you probably only need serverAuth    extendedKeyUsage      serverAuth  clientAuth    alternate names    DNS 1         example com DNS 2         www example com DNS 3         mail example com DNS 4         ftp example com    Add these if you need them  But usually you don t want them or     need them in production  You may need them for development    DNS 5         localhost   DNS 6         localhost localdomain   DNS 7         127 0 0 1    IPv6 localhost   DNS 8         1   You may need to do the following for Chrome  Otherwise Chrome may complain a Common Name is invalid  ERR CERT COMMON NAME INVALID   I m not sure what the relationship is between an IP address in the SAN and a CN in this instance     IPv4 localhost   IP 1         127 0 0 1    IPv6 localhost   IP 2         1     There are other rules concerning the handling of DNS names in X 509 PKIX certificates  Refer to these documents for the rules    RFC 5280  Internet X 509 Public Key Infrastructure Certificate and Certificate Revocation List  CRL  Profile RFC 6125  Representation and Verification of Domain-Based Application Service Identity within Internet Public Key Infrastructure Using X 509  PKIX  Certificates in the Context of Transport Layer Security  TLS  RFC 6797  Appendix A  HTTP Strict Transport Security  HSTS  RFC 7469  Public Key Pinning Extension for HTTP CA Browser Forum Baseline Requirements CA Browser Forum Extended Validation Guidelines   RFC 6797 and RFC 7469 are listed  because they are more restrictive than the other RFCs and CA B documents  RFCs 6797 and 7469 do not allow an IP address  either

User · Answer

I can t comment  so I will put this as a separate answer  I found a few issues with the accepted one-liner answer    The one-liner includes a passphrase in the key  The one-liner uses SHA-1 which in many browsers throws warnings in console    Here is a simplified version that removes the passphrase  ups the security to suppress warnings and includes a suggestion in comments to pass in -subj to remove the full question list   openssl genrsa -out server key 2048 openssl rsa -in server key -out server key openssl req -sha256 -new -key server key -out server csr -subj   CN localhost  openssl x509 -req -sha256 -days 365 -in server csr -signkey server key -out server crt   Replace  localhost  with whatever domain you require   You will need to run the first two commands one by one as OpenSSL will prompt for a passphrase   To combine the two into a  pem file   cat server crt server key  gt  cert pem

User · Answer

Here are the options described in  diegows s answer  described in more detail  from the documentation   openssl req -x509 -newkey rsa 2048 -keyout key pem -out cert pem -days XXX    req       PKCS 10 certificate request and certificate generating utility   -x509       this option outputs a self signed certificate instead of a certificate request    This is typically used to generate a test certificate or a self signed root CA   -newkey arg       this option creates a new certificate request and a new private key  The argument   takes one of several forms  rsa nbits  where nbits is the number of bits    generates an RSA key nbits in size   -keyout filename       this gives the filename to write the newly created private key to   -out filename       This specifies the output filename to write to or standard output by default   -days n       when the -x509 option is being used this specifies the number of days to certify   the certificate for  The default is 30 days   -nodes       if this option is specified then if a private key is created it will not be encrypted    The documentation is actually more detailed than the above  I just summarized it here

User · Answer

this worked for me openssl req -x509 -nodes -subj   CN localhost   -newkey rsa 4096 -keyout   sslcert key pem -out   sslcert cert pem -days 365  server js var fs   require  fs    var path   require  path    var http   require  http    var https   require  https    var compression   require  compression    var express   require  express    var app   express     app use compression     app use express static   dirname     www          app get       function req res      res sendFile path join   dirname   www index html             your express configuration here  var httpServer   http createServer app   var credentials         key  fs readFileSync    sslcert key pem    utf8        cert  fs readFileSync    sslcert cert pem    utf8      var httpsServer   https createServer credentials  app    httpServer listen 8080   httpsServer listen 8443    console log  RUNNING ON  http   127 0 0 1 8080    console log  RUNNING ON  http   127 0 0 1 8443

User · Answer

As of 2021  the following command serves all your needs  including SAN  openssl req -x509 -newkey rsa 4096 -sha256 -days 3650 -nodes     -keyout example key -out example crt -extensions san -config      lt  echo  quot  req  quot        echo distinguished name req       echo  quot  san  quot        echo subjectAltName DNS example com DNS www example net IP 10 0 0 1           -subj  quot  CN example com quot   In OpenSSL   1 1 1  this can be shortened to  openssl req -x509 -newkey rsa 4096 -sha256 -days 3650 -nodes     -keyout example key -out example crt -subj  quot  CN example com quot      -addext  quot subjectAltName DNS example com DNS www example net IP 10 0 0 1 quot   It creates a certificate that is  valid for the  sub domains example com and www example net  SAN   also valid for the IP address 10 0 0 1  SAN   relatively strong  as of 2021  and valid for 3650 days   10 years    It creates the following files   Private key  example key Certificate  example crt  All information is provided at the command line  There is no interactive input that annoys you  There are no config files you have to mess around with  All necessary steps are executed by a single OpenSSL invocation  from private key generation up to the self-signed certificate  Remark  1  Crypto parameters Since the certificate is self-signed and needs to be accepted by users manually  it doesn t make sense to use a short expiration or weak cryptography  In the future  you might want to use more than 4096 bits for the RSA key and a hash algorithm stronger than sha256  but as of 2021 these are sane values  They are sufficiently strong while being supported by all modern browsers  Remark  2  Parameter  quot -nodes quot  Theoretically you could leave out the -nodes parameter  which means  quot no DES encryption quot    in which case example key would be encrypted with a password  However  this is almost never useful for a server installation  because you would either have to store the password on the server as well  or you d have to enter it manually on each reboot  Remark  3  See also  Provide subjectAltName to openssl directly on command line How to add multiple email adresses to an SSL certificate via the command line  More information about MSYS NO PATHCONV

[ssl] How to create a self-signed certificate with OpenSSL

Examples related to ssl

Examples related to openssl

Examples related to certificate

Examples related to ssl-certificate

Examples related to x509certificate