Self-signed certificates are convenient when developing locally. Of course, these are not be used in production environments. If you are running a public site, it's recommended to use any commercial certificate recognized by Browser. "Let's Encrypt" has revolutionalized the certificate eco-system and you can easily use/deploy them on public facing websites.
For experimentation and testing, self-signed certificates is the easiest approach. Steps to get self-signed certificate are given below:
- Install openssl
# apt-get install openssl
- Generate a private RSA key You can generate your private key with or without a passphrase to protect it. You only need to choose one of these options. This will generate a 2048-bit RSA private key.
# Generate 2048 bit RSA private key (no passphrase)
# openssl genrsa -out private_key.pem 2048
# To add a passphrase when generating the private key
# include a cipher flag like -aes256
# openssl genrsa -aes256 -out private_key.pem 2048
- Generate certificate signing request (CSR) with the key Using the private key generated in the previous step, we need to create a certificate signing request.
# Generate certificate signing request (CSR)
# openssl req -new -key private_key.pem -out sign_req.csr
- Sign the certificate signing request with the key The last step in the process is to sign the request using a private key. In this example we are signing the certificate request with the same key that was used to create it. That's why it earns the name "self-signed".
# Sign the certificate signing request
#openssl x509 -req -days 365 -in sign_req.csr -signkey private_key.pem -out certificate.pem
- View certificate details
# Review a certificate
# openssl x509 -text -noout -in certificate.pem
- Generate key and certificate in one go
# openssl req -newkey rsa:2048 -nodes -keyout private_key.pem -x509 -days 36500 -out certificate.pem
- Remove passphrase from private key
# If a private key has a passphrase, remove it.
# Will be prompted to enter the passphrase
#openssl rsa -in server.key -out server-nopassphrase.key