The name self-signed certificate itself explains it’s meaning i.e. we are not using an CA (Certificate Authority) to sign the certificate and instead we our self will sign the certificate.
We tend to use self-signed certificate for most of our internal communications where there is less to no risk of any data breach. Adding self-signed certificate will add an encryption layer so this is not the best way for data transmission but it is still better than plain text. So if an intruder manages to access the packets of data communication then he/she will not be able to view the data as it will in encrypted format.
In this tutorial I will cover different use cases and methods to create self-signed certificate using openssl command.
1. Create Self-Signed Certificate without Password
In this section we will create a self-signed certificate using RSA algorithm which does not require a password.
Generate the Private Key:
openssl genpkey -algorithm RSA -out mykey.pem
Generate a Certificate Signing Request (CSR):
openssl req -new -key mykey.pem -out mycsr.csr -subj "/C=US/ST=State/L=City/O=Organization/OU=Department/CN=www.example.com"
Generate the Self-Signed Certificate:
openssl x509 -req -days 365 -in mycsr.csr -signkey mykey.pem -out cert.pem
2. Create Self-Signed Certificate With a Password
We can also choose to secure our private key with a password. There are a couple of ways using which we can pass the password when creating slf-signed certificates, we will cover all such possible methods:
2.1 Using an Environment Variable
We can use environment variable to pass the secure password to the openssl command. This is considered more secure as it avoids exposing the password directly via command line.
Set the Environment Variable:
export MY_SECRET_PASS="YourStrongPassword"
Generate the Encrypted Private Key:
openssl genpkey -algorithm RSA -aes256 -out mykey.pem -passout env:MY_KEY_PASS
Generate the Certificate Signing Request (CSR):
openssl req -new -key mykey.pem -out mycsr.csr -subj "/C=US/ST=State/L=City/O=Organization/OU=Department/CN=www.example.com" -passin env:MY_KEY_PASS
Generate the Certificate:
openssl x509 -req -days 365 -in mycsr.csr -signkey mykey.pem -out cert.pem -passin env:MY_KEY_PASS
Clean Up:
After the process, remove the environment variable to ensure it’s not left in memory:
unset MY_KEY_PASS
2.2 Prompting for the Password
Setting environment variable can be considered secure but it also has it’s own downside so we also have an option to prompt for password instead of storing in a variable which can still be exposed.
Generate the Encrypted Private Key:
openssl genpkey -algorithm RSA -aes256 -out mykey.pem -passout stdin
Generate the CSR:
openssl req -new -key mykey.pem -out mycsr.csr -subj "/C=US/ST=State/L=City/O=Organization/OU=Department/CN=www.example.com" -passin stdin
Generate the Self-Signed Certificate:
openssl x509 -req -days 365 -in mycsr.csr -signkey mykey.pem -out cert.pem -passin stdin
2.3 Using Password File
We can also create a file which stores the password and pass the file as an input to openssl command.
Create a Password File:
echo "YourStrongPassword" > passwordfile
chmod 600 passwordfile
Generate the Encrypted Private Key:
openssl genpkey -algorithm RSA -aes256 -out mykey.pem -passout file:./passwordfile
Generate the CSR:
openssl req -new -key mykey.pem -out mycsr.csr -subj "/C=US/ST=State/L=City/O=Organization/OU=Department/CN=www.example.com" -passin file:./passwordfile
Generate the Self-Signed Certificate:
openssl x509 -req -days 365 -in mycsr.csr -signkey mykey.pem -out cert.pem -passin file:./passwordfile
Secure the Password File:
shred -u passwordfile
3. Create Self-Signed Certificate using RSA Key
Generate the RSA Private Key:
openssl genpkey -algorithm RSA -out rsa_key.pem
Create a CSR:
openssl req -new -key rsa_key.pem -out rsa_csr.csr -subj "/C=US/ST=State/L=City/O=Organization/OU=Department/CN=www.example.com"
Generate the RSA Certificate:
openssl x509 -req -days 365 -in rsa_csr.csr -signkey rsa_key.pem -out rsa_cert.pem
4. Create Self-Signed Certificate using ECDSA Key
Generate the ECDSA Private Key:
openssl ecparam -name prime256v1 -genkey -out ecdsa_key.pem
Create a CSR:
openssl req -new -key ecdsa_key.pem -out ecdsa_csr.csr -subj "/C=US/ST=State/L=City/O=Organization/OU=Department/CN=www.example.com"
Generate the ECDSA Certificate:
openssl x509 -req -days 365 -in ecdsa_csr.csr -signkey ecdsa_key.pem -out ecdsa_cert.pem
5. Create Self-Signed Certificate using single OpenSSL command
For simplicity and automation we can also combine all openssl commands which includes generating private key, CSR and signing CSR into one single command to create self-signed certificate:
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes -subj "/C=US/ST=California/L=City/O=Organization/OU=Department/CN=www.example.com"
You can next again use openssl command to view the certificate and private key content.
