How to Generate Self-Signed SSL Certificate Using OpenSSL

In this tutorial, we will cover how to generate self-signed SSL certificate using openssl command in Linux.

SSL certificates play a significant role in ensuring secure communication between a web server and clients. In certain situations such as testing or internal use, a self-signed SSL certificate may be a suitable alternative to a commercial certificate.

1) Check and Install OpenSSL

Before proceeding, ensure OpenSSL is installed on your computer. Most Linux distributions come with OpenSSL pre-installed. To check if it’s available, run:

$ openssl version

OpenSSL Version Check On Linux

If OpenSSL is not installed, you can add it using the following commands based on your operating system:

Ubuntu/Debian:

$ sudo apt update && sudo apt install openssl -y

RHEL / Fedora / Rocky Linux

$ sudo dnf install openssl -y

2) Generate a Private Key

To create an SSL certificate, you first need to generate a private key:

$ openssl genrsa -out mydomain.key 2048

This command creates a 2048-bit RSA private key named mydomain.key. If you need a stronger key, replace 2048 with 4096.

Generate Private Key Using OpenSSL Command

3) Create a Certificate Signing Request (CSR)

Next, generate a CSR using the private key:

$ openssl req -new -key mydomain.key -out mydomain.csr

During the process, you’ll be prompted to provide details such as:

Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:

Enter all the details and then submit.

Create CSR With OpenSSL

4) Generate Self-Signed Certificate Using OpenSSL

Now, create the self-signed certificate using the CSR and private key:

$ openssl x509 -req -days 365 -in mydomain.csr -signkey mydomain.key -out mydomain.crt

The -days 365 option sets the certificate’s validity to one year. The output file mydomain.crt contains the generated self-signed certificate.

Generate Self-Signed SSL Certificate Using OpenSSL

5) Set Up the SSL Certificate in Nginx

To use the self-signed SSL certificate with Nginx, move the certificate and key to /etc/nginx/ssl/:

$ sudo mkdir -p /etc/nginx/ssl
$ sudo cp mydomain.crt /etc/nginx/ssl/
$ sudo cp mydomain.key /etc/nginx/ssl/

Copy CRT Private Key NGINX Server

Next, edit the Nginx configuration file using vi editor, usually found in /etc/nginx/sites-available/default or /etc/nginx/nginx.conf.

Modify the server block to enable SSL:

server { 
    listen 443 ssl; 
    server_name mydomain.com; 
    ssl_certificate /etc/nginx/ssl/mydomain.crt; 
    ssl_certificate_key /etc/nginx/ssl/mydomain.key; 
    location / { 
        root /var/www/html; 
        index index.html; 
    } 
}

ADD Self-Signed Certificate In NGINX File

Ensure that Nginx is set to listen on port 443 (HTTPS). Save your changes and test the Nginx configuration and then restart the service

$ sudo nginx -t

Test NGINX Web Server

$ sudo systemctl restart nginx 
Or
$ sudo service nginx restart

Restart NGINX Service

6) Verify the SSL Configuration

Check if the SSL certificate is installed correctly with:

$ openssl s_client -connect mydomain.com:443 -servername mydomain.com

Verify NGINX SSL Configuration With OpenSSL Command

Alternatively, open a web browser and navigate to https://mydomain.com. Since the certificate is self-signed, the browser may display a security warning. You can bypass this warning by adding the certificate to your browser’s trusted list.

NGINX Web Page SSL Certificate Linux

NGINX Certificate Details Web Browser

Conclusion

Creating a self-signed SSL certificate with OpenSSL is a simple and effective solution for testing or internal applications. However, in production environments, it’s best to obtain an SSL certificate from a trusted Certificate Authority (CA) to prevent security warnings in web browsers.

Also Read: How to Install Ubuntu 24.04 on WSL2

Leave a Comment

eleven − three =