Create self signed certificate with Openssl Command

Updated: Aug 27

A self-signed certificate is a security certificate that is not signed by a certificate authority (CA). These certificates are easy to make and do not cost money. The Self-signed SSL certificate is mainly used for non-production applications or other experiments.


Is a self signed certificate Safe?

Self-signed certificate does not have the validation of a trusted third-party. This lack of independent validation in the issuance process creates additional risk, which is why self-signed certificates are considered unsafe for public-facing websites and applications.


Generate private key and self signed certificate

Run the following OpenSSL command to generate our private key and public certificate. Answer the questions and enter the Common Name when prompted.


openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
  • openssl – activates the OpenSSL software

  • req – indicates that we want a CSR

  • –new –newkey – generate a new key

  • rsa:2048 – generate a 2048-bit RSA mathematical key

  • –nodes – no DES, meaning do not encrypt the private key in a PKCS#12 file

  • –keyout – indicates the domain you’re generating a key for

  • –out – specifies the name of the file our certificate will be saved as

  • -x509 Output a self-signed certificate instead of a certificate request. This is typically used to generate a test certificate or a self-signed root CA.

  • -days The number of days to make a certificate valid for. The default is 30 days.



Enter self signed certificate Information

Enter our information in the fields as follows:


  • Country Name – use a 2-letter country code (US for the United States)

  • State – the state in which the domain owner is incorporated

  • Locality – the city in which the domain owner is incorporated

  • Organization name – the legal entity that owns the domain

  • Organizational unit name – the name of the department or group in our organization that deals with certificates

  • Common name – typically the fully qualified domain name (FQDN), i.e. what the users type in a web browser to navigate to our website

  • Email address – the webmaster’s email address




Review the self signed certificate

openssl x509 -text -noout -in certificate.pem
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number: 13596678379411212977 (0xbcb11af2a20a0ab1)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, ST=sd, L=jn, O=jn, OU=jn, CN=jn
        Validity
            Not Before: Aug  7 13:53:21 2021 GMT
            Not After : Aug  7 13:53:21 2022 GMT
        Subject: C=CN, ST=sd, L=jn, O=jn, OU=jn, CN=jn
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:

Risk of self signed certificate

If the corporate network is breached, there is no way of knowing if a self-signed certificate (and it’s private key) has been compromised. Compromised self-signed certificates can pose many security challenges since attackers can spoof the identity of the victim. Unlike CA-issued certificates, self-signed certificates cannot be revoked. The inability to quickly find and revoke private key associated with a self-signed certificate creates serious risk.



Related:

OpenSSL Command to Generate View Check Certificate

Understanding X509 Certificate with Openssl Command

Which SSH Key Is More Secure in Linux?

117 views
屏幕快照 2021-08-08 下午5.16.32.png