Generate a self-signed SSL Certificate with OpenSSL

Occasionally it may be necessary to generate a self-signed SSL certificate. This could be for internal websites, or for other internal uses that may require secure encrypted network transmissions.

Generating a self-signed certificate may be an easy task for the intermediate or senior level admin, however we decided to post this guide for everyone to use, since using the guide as a reference may hopefully be useful to those of you out there 😉

1. Generate an SSL key without a passphrase, enter:

openssl genrsa -out /etc/httpd/ssl/ 1024

2: Create a self-signed certificate, enter:

openssl req -new -key /etc/httpd/ssl/ -x509 -out /etc/httpd/ssl/mycorpcom.crt -days 999

Sample output:

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:CA
Locality Name (eg, city) []:CA
Organization Name (eg, company) [Internet Widgits Pty Ltd]:mycorp, LLC
Organizational Unit Name (eg, section) []:Sales
Common Name (eg, YOUR name) []:  
Email Address []

My Sample Apache httpd.conf virtual host file:

DocumentRoot "/var/www/html/ssl_doc_root/"
SSLEngine On
SSLCertificateFile /etc/httpd/ssl/mycorpcom.crt
SSLCertificateKeyFile /etc/httpd/ssl/
SetEnvIf User-Agent ".*MSIE.*" 
nokeepalive ssl-unclean-shutdown 
downgrade-1.0 force-response-1.0

3. Restart httpd/Apche:

service httpd restart

Thats it! Test the SSL Cert to ensure it loads fine and reflects the proper values when you examine the properties.

Notify of
Inline Feedbacks
View all comments