Create Your Own Private SSL/TLS Certificates
If you just need a public/private certificate pair, then you can use:
openssl req \ -newkey rsa:2048 \ -nodes -keyout private.pem \ -x509 \ -days 365 \ -out site.crt
Certificate Authority Method
If you also need to act as your own certificate authority that signed the certificate then...
Create your a private key for your certificate authority.
openssl genrsa -des3 -out ca.pem 2048
Now create the public certificate for that certificate authority. This may be referred to as the "root certificate".
openssl req \ -x509 \ -new \ -nodes \ -key ca.pem \ -sha256 \ -days 1825 \ -out ca.crt
Now create a private certificate for your site:
openssl genrsa -out my.domain.com.pem 2048
Now we need to create a "certificate signing request" to "give" to our CA to sign:
openssl req \ -new \ -key my.domain.com.pem \ -out certificate-request.csr
Now we hand that over to the certificate authority (which is ourselves), and they use it to create a public certificate for the site (which we hand back to ourselves).
However, first they (us) need to create a configuration file ( which tweaks the data within the generated certificate to state things like what the certificate can be used for:
Fill it with the following, changing the
DNS.1 value to whatever your site FQDN is:
authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment subjectAltName = @alt_names [alt_names] DNS.1 = my.domain.com
Now we have all of these files, we can finally use them to create the site certificate file:
openssl x509 \ -req \ -in certificate-request.csr \ -CA ca.crt \ -CAkey ca.pem \ -CAcreateserial \ -out my.domain.com.crt \ -days 365 \ -sha256 \ -extfile configuration.ext
Now you have all of your certificates. If you use Apache, you will need the three files:
- ca.crt - the certificate authorities public certificate.
- site.crt - the public certificate for our site.
- site.pem - the private key for our site
If you are using Nginx, you need to bundle the ca.crt and site.crt files together:
cat my.domain.com.crt > bundle.crt cat ca.crt >> bundle.crt
... so then you only need:
- site.pem - your site's private certificate file
- bundle.crt - a single public certificate file representing your site and the certificate authority.
- deliciousbrains.com - How to Create Your Own SSL Certificate Authority for Local HTTPS Development
- IBM.com - Generating a self-signed certificate using OpenSSL
First published: 12th August 2021