Create self-signed certificates with OpenSSL

Hey, here are a few steps to create your own self-signed certificates with your own CA:

  1. Generate your 4096 bit CA key (no password):
    # openssl genrsa -out CA.key 4096
    or generate one with a password:
    # openssl genrsa -out CA.key 4096 -des3

​Please note that if someone gets this key and it’s not password protected he can generate valid certificates in your name, which is really really bad, so keep it secret!

  1. Generate your CA certificate:
    # openssl req -new -x509 -extensions v3_ca -key CA.key -days 10000 -out CA.crt

​This creates a valid CA certificate wich is valid for 10000 days. Why so long? Because when this CA expires you have to revoke and regenerate all the certificates based on this one which could be timeconsuming, but feel free to set a lower number. In order to recognize your self-signed certificates this CA must be installed on your computer which calls the website or alike. which varies between operating systems and programs.

  1. Generate a key for the server (again with or without password, simply add -des3 if you want password protection):
    # openssl genrsa -out server.key 4096
  2. Create A CSR (certificat signing request):
    # openssl req -new -key server.key -out server.csr

​Now before creating a CRT file: if you need multiple domains you can specifiy them in a separate file. In my example i named it multidomains.cnf and added the following line:

subjectAltName=DNS:www.domain.com,DNS:mail.domain.com,DNS:domain.com,DNS:mysql.domain.com

Please note that you need to specify the normal domain too (domain.com) in this file and as CommonName when generating the CSR.

  1. Generate the server certificate:
    # openssl x509 -req -in server.csr -CA CA.crt -CAkey CA.key -CAcreateserial -out server.crt -days 365
    generate with multidomains:
    # openssl x509 -req -in server.csr -CA CA.crt -CAkey CA.key -CAcreateserial -extfile multidomains.cnf -out server.crt -days 365

In case you want the to do quickly a certificate, you can do it also in one line:

openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout server.key -out server.crt

​All you have to do now is copy the server.key and server.crt onto your machine and configure your application to use this certificates.

Here are some useful sites if found about SSL:
http://www.chainsawonatireswing.com
http://phaseshiftllc.com
http://blog.didierstevens.com
http://shib.kuleuven.be