A self-signed certificate is a security certificate that is not signed by a certificate authority (CA). These certificates are easy to make and do not cost money. The Self-signed SSL certificate is mainly used for non-production applications or other experiments.
In this article, we will cover 2 ways to create a self-signed certificate.
Is a self signed certificate Safe?
Self-signed certificate does not have the validation of a trusted third-party. This lack of independent validation in the issuance process creates additional risk, which is why self-signed certificates are considered unsafe for public-facing websites and applications.
Create self-signed certificate with CSR and private Key
We can run the following commands to create a self signed certificate.
- Creating a Private Key: openssl genrsa -des3 -out domain.key 2048
- Creating a Certificate Signing Request: openssl req -key domain.key -new -out domain.csr
- Creating a Self-Signed Certificate: openssl x509 -signkey domain.key -in domain.csr -req -days 365 -out domain.crt
Generate self-signed certificate with a private key in one command
we can also run the following OpenSSL command to generate our private key and public certificate. In this command, we don’t need CSR file.
Answer the questions and enter the Common Name when prompted.
openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
- openssl – activates the OpenSSL software
- req – indicates that we want a CSR
- –new –newkey – generate a new key
- rsa:2048 – generate a 2048-bit RSA mathematical key
- –nodes – no DES, meaning do not encrypt the private key in a PKCS#12 file
- –keyout – indicates the domain you’re generating a key for
- –out – specifies the name of the file our certificate will be saved as
- -x509 Output a self-signed certificate instead of a certificate request. This is typically used to generate a test certificate or a self-signed root CA.
- -days The number of days to make a certificate valid for. The default is 30 days.
Enter self signed certificate Information
Enter our information in the fields as follows:
- Country Name – use a 2-letter country code (US for the United States)
- State – the state in which the domain owner is incorporated
- Locality – the city in which the domain owner is incorporated
- Organization name – the legal entity that owns the domain
- Organizational unit name – the name of the department or group in our organization that deals with certificates
- Common name – typically the fully qualified domain name (FQDN), i.e. what the users type in a web browser to navigate to our website
- Email address – the webmaster’s email address
Review the self signed certificate
openssl x509 -text -noout -in certificate.pem
Version: 1 (0x0)
Serial Number: 13596678379411212977 (0xbcb11af2a20a0ab1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=sd, L=jn, O=jn, OU=jn, CN=jn
Not Before: Aug 7 13:53:21 2021 GMT
Not After : Aug 7 13:53:21 2022 GMT
Subject: C=CN, ST=sd, L=jn, O=jn, OU=jn, CN=jn
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Risk of self signed certificate
If the corporate network is breached, there is no way of knowing if a self-signed certificate (and it’s private key) has been compromised. Compromised self-signed certificates can pose many security challenges since attackers can spoof the identity of the victim. Unlike CA-issued certificates, self-signed certificates cannot be revoked. The inability to quickly find and revoke private key associated with a self-signed certificate creates serious risk.