OpenSSL - Self Signed Certificate
Updated on 23 Sep 2020
This tutorial will show you the steps needed to create a self signed SAN (Subject Alternative Name) certificate.
Also worth noting modern browsers aren’t trusting:
- certificates without the SAN specification (so the extra steps needed for SAN are required)
- self signed certificates. They need to be signed by a CA, and I cover that in a later tutorial
Copy the openssl.cnf file to a local directory
Unless you’re comfortable making changes to the original configuration file, we’ll copy it to a local directory.
cp /usr/lib/ssl/openssl.cnf localhost.cnf
Add the v3_req settings
Under the [ v3_req ] section, set the following along with any alternative names for this certificate. In my example I’ll use localhost
and yii
.
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = localhost
DNS.2 = yii
We also need to uncomment the following line under the [ req ] section so that certificate requests are created with v3 extensions (line 114 and line 129 - there are comments in the file telling you what they are for).
x509_extensions = v3_ca # The extensions to add to the self signed cert
req_extensions = v3_req # The extensions to add to a certificate request
Create self signed certifcate
For now we’ll just create the keys in the local directory.
openssl req -x509 -nodes -days 365 -extensions v3_req -newkey rsa:2048 -keyout apache-selfsigned.key -out apache-selfsigned.crt -config localhost.cnf
An explanation on some of the settings we have used are on this website. Basically all the flags are related to the req command.
req
the command to create and process certificate requests in PKCS#10 format. link-x509
this means we are using the X.509 is public key infrastructure standard used by SSL/TLS for key and certificate management. We are using it for CSR (certificate signing request) management. Link-nodes
This tells OpenSSL to skip the option to secure our certificate with a password. (this is mainly for Apache so we don’t have to enter the password each time we restart Apache).-days
how long the certificate will be valid for. If not set, defaults to 30 days.-extensions
what extensions we wish to load.-newkey
This specifies that we want to generate a new certificate and a new key at the same time. We did not create the key that is required to sign the certificate in a previous step, so we need to create it along with the certificate.-keyout
output filename for the key.-out
output filename for the certificate.-config localhost.cnf
refers to the file we created in step 1 that we will use for the config.
Examine your certificate
In the directory that the certificate was created, you can double click on the apache-selfsigned.crt
file, and the information about your certificate will be shown. Click on the details tab and scroll down until you see the Subject Alternative Names
field. localhost and yii should be there - the names we added into the config file in step 1.