Generate a self-signed TLS/SSL certificate

David Y.

—May 15, 2024

The ProblemThe Problem

How can I generate a self-signed SSL certificate in Linux?

The SolutionThe Solution

We can do this using the openssl toolkit. This should be installable using your distribution’s package manager and is likely to be already installed on your system.

First, we generate a private key for the certificate. The command below will generate a 2048-bit RSA private key to the file priv.key:

openssl genrsa -out priv.key 2048

Next, we use the private key to generate our certificate. The command below will generate a self-signed certificate valid for 365 days to the file cert.crt:

openssl req -new -x509 -key priv.key -out cert.crt -days 365

When running this command, you will be prompted to enter certificate information, such as country, state, and organization name. This information will go into the certificate’s subject field.

Depending on the certificate’s intended use case, we may also need to generate a PEM file, containing both the private key and certificate. We can do this with the following command:

cat priv.key cert.crt > combined.pem

Finally, we can validate the certificate with this command, which should output the information we entered when generating it:

openssl x509 -in cert.crt -text -noout

Note that self-signed certificates are not generally considered appropriate for use on public websites. Although a self-signed certificate allows the connection between a server and client to be encrypted with TLS, it provides no verification of the server’s identity, as anyone can generate a self-signed certificate with any subject. For public websites, we should instead use a certificate issued by a Certificate Authority, such as Let’s Encrypt, which provides trusted certificates free of charge, facilitated by an automated domain verification process.