Fire and foremost one should understand that self-signed certificates are:
- created and signed by its own creator rather than a trusted third-party certificate authority (CA).
- do not have a chain of trust linking them to a trusted root certificate authority (CA).
- are standalone certificates that rely solely on the trust placed in them by the entity using them
In other words, the entity creating the certificate acts as both the issuer and the subject of the certificate.
Now, to generate a self-signed certificate with OpenSSL you should:
1) Generate private key:
openssl genpkey -algorithm RSA -out private.key
2) Generate a certificate request:
openssl req -new -key private.key -out csr.pem
You'll be prompted to enter information (that will be incorporated into your certificate request)such as:
Country Name (2 letter code), Organization Name (eg, company),Common Name (e.g. server FQDN or YOUR name), Issuer.
After successfully running the previous commands you should have two files a private key and a certificate signing request.
3) Generate the self-signed PEM certificate (valid for 365 days) using the private key and the CSR:
openssl x509 -req -days 365 -in csr.pem -signkey private.key -out certificate.pem
Now you should have certificate.pem file which represents the generated PEM certificate. That was it, for a short introduction to OpenSSL and its capabilities check OpenSSL a swiss army knife - part1
Bonus: If you're interested in how to check if a private key matches the corresponding public key used in a certificate
Top comments (0)