- Published on
How to Generate Self-Signed Certificates
- Authors
- Name
- Cameron Vargas
- Github
- @camvrgs
To generate a self-signed certificate, you can use the following command in your terminal.
openssl req -x509 -keyout key.pem -out cert.pem \
-newkey rsa:4096 \
-sha256 -nodes \
-days 365
This will open an interactive prompt to fill out the certificate details, including the CN (Common Name), or the FQDN (Fully Qualified Domain Name), of the host. This CN will need to match the target hostname the certificate will be used for to authenticate through TLS properly.
You can change the number of days the certificate is certified for by adjusting the -days
parameter.
If you would like to encrypt the certificate with a password, remove the -nodes
parameter.
To generate a certificate without using interactive mode, you can instead use the -subj
option along with the respective subject arguments. For example:
openssl req -x509 -keyout key.pem -out cert.pem \
-newkey rsa:4096 \
-sha256 -nodes \
-days 365 \
-subj "/C=US/ST=State/L=City/O=Organization/CN=example.com"
Here the /C
argument, the “Country”, should be a 2 character string, otherwise the command will fail with an error. However, you exclude any of these arguments, except for CN, which is required**.**
To confirm that the certificate was generated with the correct subject attributes, you can use the following command to print out the certificate details to the terminal:
openssl x509 -in cert.pem -text
While you can self-sign a certificate, please note that, unless you locally trust the certificate, most browsers will still display a warning that it is not secure and from a trusted source. However, for most simple local development use cases, that shouldn't be an issue. However, if you need a trusted SSL certificate, it is easiest to generate a short-term certificate from Let's Encrypt and use that instead.
You can find more details about additional options for openssl req
in the official documentation.