Self-signed certificates raise a lot of questions. In this blog post, I’m going to answer those and teach you how to create self-signed certificate for Ubuntu, Nginx, and Windows.
What is a Self Signed SSL Certificate?
A self-signed certificate is essentially a certificate that is signed by the same entity that it certifies. There is no certificate authority (CA) involved, and it is signed with its own private key.
Pros:
- It’s relatively easy to create these certificates as no CA is involved.
- Self-signed certificates can be created for free using online tools like OpenSSL.
- They’re easier to customize.
Cons:
- Not trusted by other operating systems and applications
- They need to be renewed or replaced every year which can be a hassle
- They don’t provide the security that SSL certificates provide. For example, a third party could intercept the traffic on a self-signed website with its own self-signed certificate.
So why create a self-signed certificate?
A self-signed certificate is usually created during testing, just to ascertain how everything would run on an HTTPS environment. These certificates can’t work in production. No browsers will trust them since no certificate authority is involved. Moreover, they aren’t as secure.
Related read: Why is Google Crazy About SSL Certificate?
Create Self Signed Certificate: Windows
We’re going to generate a self-signed certificate using OpenSSL. Make sure you have the latest version of OpenSSL installed on your Windows. We’re going to create a private key, and a self-signed certificate valid for one year.
We’re going to create this certificate in c\:test folder.
- Open the command line prompt (cmd) in Windows.
- Go to the folder, type cd \test.
- Start OpenSSL: c:\OpenSSL-Win32\bin\openssl.exe
- Run the following command to generate a private key and a certificate:
req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt
5. You will then be asked to enter Distinguished Name (DN) information.
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:US
State or Province Name (full name): Tennesse
Locality Name (eg, city): Nashville
Organization Name (eg, company) [My Company Ltd]:https://Webscoot.com
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []: Drake Danvers (https://Webscoot.com)
Email Address []:[email protected]
You will now find your private key and certificate under \OpenSSL\bin\ directory
Create Self Signed Certificate for Nginx in Ubuntu
Note: The commands for Ubuntu and Mac OSX are the same, so you can just follow these if you’re operating on Mac. We’re going to create certificates using OpenSSL here as well. For Mac, OpenSSL comes pre-installed.
- First create a certificate configuration file
sudo nano localhost.conf
[req]
default_bits = 2048
default_keyfile = localhost.key
distinguished_name = req_distinguished_name
req_extensions = req_ext
x509_extensions = v3_ca
[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_default = US
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = New York
localityName = Locality Name (eg, city)
localityName_default = Nashville
organizationName = Organization Name (eg, company)
organizationName_default = localhost
organizationalUnitName = organizationalunit
organizationalUnitName_default = Development
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_default = localhost
commonName_max = 64
[req_ext]
subjectAltName = @alt_names
[v3_ca]
subjectAltName = @alt_names
[alt_names]
DNS.1 = localhost
DNS.2 = 127.0.0.1
2. Create a private key and certificate in OpenSSL using the following command.
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout localhost.key -out localhost.crt -config localhost.conf
Let’s see what the command we’re issuing above actually does:
- Openssl: this is a command-line tool for TLS and SSL services. It secures communication and exchange of information between servers and client computers.
- -days 365: this means the certificate is going to be valid for a year.
- -x509: it’s just a type of a certificate that contains information about the owner like the version information, serial number of the certificate, distinguished name information.
- req: this means that it’s a certificate ‘request’ for an x509 certificate.
- New key: means that we’re going to create a new certificate.
- Keyout: this tells OpenSSL where to store our certificate
- rsa 2048: this simply tells OpenSSL to make an RSA key that is 2048 bits long. RSA basically means an RSA algorithm that constitutes of asymmetric keys i.e., public and private keys.
3. Copy the key pair to the certificates folder in Ubuntu
Copy the private key:
sudo cp localhost.crt /etc/ssl/certs/localhost.crt
Copy the public key:
sudo cp localhost.key /etc/ssl/private/localhost.key
4. To load they certificate key pair, update the Nginx configuration file
sudo nano /etc/nginx/sites-available/default
sudo nano /etc/nginx/sites-available/default
server {
listen 80;
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name localhost;
ssl_certificate /etc/ssl/certs/localhost.crt;
ssl_certificate_key /etc/ssl/private/localhost.key;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
root /var/www/html;
index index.html index.nginx-debian.html;
}
Reload the Nginx configuration changes
sudo service nginx reload
5. Change chrome’s settings to show your site as secure
Self-signed certificates will have to be manually validated from your chrome’s CA root store, otherwise, the site will be shown as insecure.
To add the certificate to trusted root CA, follow this command:
certutil -d sql:$HOME/.pki/nssdb -A -t "P,," -n "localhost" -i localhost.crt
Lastly
Self-signed certificates are advised to be only created in a testing environment. They come at zero cost, so it makes sense to only use them when you want to test working in an HTTPS environment.
If we’ve missed out on anything, or you have any suggestions, do mention in the comments below. Or talk to our experts.
Interesting read: Flush DNS Cache: All you Need to Know
Divya loves writing and is passionate about marketing. When not trying to hone her skills, you’ll find her either reading or binging on TV shows.
0 Comments