A self-signed certificate is a security certificate that is not signed by a certificate authority (CA). These certificates are easy to make and do not cost money. The Self-signed SSL certificate is mainly used for non-production applications or other experiments.
Is a self signed certificate Safe?
Self-signed certificate does not have the validation of a trusted third-party. This lack of independent validation in the issuance process creates additional risk, which is why self-signed certificates are considered unsafe for public-facing websites and applications.
Generate private key and self signed certificate
Run the following OpenSSL command to generate our private key and public certificate. Answer the questions and enter the Common Name when prompted.
openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
openssl – activates the OpenSSL software
req – indicates that we want a CSR
–new –newkey – generate a new key
rsa:2048 – generate a 2048-bit RSA mathematical key
–nodes – no DES, meaning do not encrypt the private key in a PKCS#12 file
–keyout – indicates the domain you’re generating a key for
–out – specifies the name of the file our certificate will be saved as
-x509 Output a self-signed certificate instead of a certificate request. This is typically used to generate a test certificate or a self-signed root CA.
-days The number of days to make a certificate valid for. The default is 30 days.
Enter self signed certificate Information
Enter our information in the fields as follows:
Country Name – use a 2-letter country code (US for the United States)
State – the state in which the domain owner is incorporated
Locality – the city in which the domain owner is incorporated
Organization name – the legal entity that owns the domain
Organizational unit name – the name of the department or group in our organization that deals with certificates
Common name – typically the fully qualified domain name (FQDN), i.e. what the users type in a web browser to navigate to our website
Email address – the webmaster’s email address
Review the self signed certificate
openssl x509 -text -noout -in certificate.pem
Certificate: Data: Version: 1 (0x0) Serial Number: 13596678379411212977 (0xbcb11af2a20a0ab1) Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, ST=sd, L=jn, O=jn, OU=jn, CN=jn Validity Not Before: Aug 7 13:53:21 2021 GMT Not After : Aug 7 13:53:21 2022 GMT Subject: C=CN, ST=sd, L=jn, O=jn, OU=jn, CN=jn Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus:
Risk of self signed certificate
If the corporate network is breached, there is no way of knowing if a self-signed certificate (and it’s private key) has been compromised. Compromised self-signed certificates can pose many security challenges since attackers can spoof the identity of the victim. Unlike CA-issued certificates, self-signed certificates cannot be revoked. The inability to quickly find and revoke private key associated with a self-signed certificate creates serious risk.