Create Your Own Private SSL/TLS Certificates
Simple Setup
If you just need a public/private certificate pair, then you can use:
openssl req \
-newkey rsa:2048 \
-nodes -keyout private.pem \
-x509 \
-days 365 \
-out site.crt
Certificate Authority Method
If you also need to act as your own certificate authority that signed the certificate then...
Create your a private key for your certificate authority.
openssl genrsa -des3 -out ca.pem 2048
Now create the public certificate for that certificate authority. This may be referred to as the "root certificate".
openssl req \
-x509 \
-new \
-nodes \
-key ca.pem \
-sha256 \
-days 1825 \
-out ca.crt
Now create a private certificate for your site:
openssl genrsa -out my.domain.com.pem 2048
Now we need to create a "certificate signing request" to "give" to our CA to sign:
openssl req \
-new \
-key my.domain.com.pem \
-out certificate-request.csr
Now we hand that over to the certificate authority (which is ourselves), and they use it to create a public certificate for the site (which we hand back to ourselves).
However, first they (us) need to create a configuration file ( which tweaks the data within the generated certificate to state things like what the certificate can be used for:
editor configuration.ext
Fill it with the following, changing the DNS.1 value to whatever your site FQDN is:
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = my.domain.com
Now we have all of these files, we can finally use them to create the site certificate file:
openssl x509 \
-req \
-in certificate-request.csr \
-CA ca.crt \
-CAkey ca.pem \
-CAcreateserial \
-out my.domain.com.crt \
-days 365 \
-sha256 \
-extfile configuration.ext
Now you have all of your certificates. If you use Apache, you will need the three files:
- ca.crt - the certificate authorities public certificate.
- site.crt - the public certificate for our site.
- site.pem - the private key for our site
If you are using Nginx, you need to bundle the ca.crt and site.crt files together:
cat my.domain.com.crt > bundle.crt
cat ca.crt >> bundle.crt
... so then you only need:
- site.pem - your site's private certificate file
- bundle.crt - a single public certificate file representing your site and the certificate authority.
References
- deliciousbrains.com - How to Create Your Own SSL Certificate Authority for Local HTTPS Development
- IBM.com - Generating a self-signed certificate using OpenSSL
First published: 12th August 2021
