How to Create a Self-Signed SSL Certificate on CentOS or Ubuntu Linux

This post will guide you how to create a self-signed SSL certificate on CentOS or Ubuntu Linux. How do I create a self-signed SSL Certificate using the Openssl tool on Linux system. How to create a self-signed SSL Certificate for your own Apache server.


What is Self-Signed SSL Certificate?

A self-signed certificate used to encrypt communication between your server and any clients. because it is not signed by any of the trusted certificate authorities included with web browsers, users cannot use the certificate to validate the identity of your server automatically.

You can use OpenSSL tool to generate self-signed certificates which can be used for testing purposes or internal usage. And it also can be used to generate an RSA Private key.

Create Self-Signed SSL Certificate

Before creating self-signed SSL Certificate, you should make sure that the OpenSSL tool is installed on your Linux system. You can verify the version of OpenSSL by running the following command:

$ openssl version


devops@devops-osetc:~$ openssl version
OpenSSL 1.1.1 11 Sep 2018

If OpenSSL package is not install on your Linux system, you can ru n the following command to install it:

For CentOS or RHEL Linux:

Type the following command:

$ sudo yum install openssl -y

For Ubuntu or Debian Linux:

Type the following command:

$ sudo apt install openssl -y

Then you can use openssl command to create a self-signed certificate key, type:

$ sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/apache-selfsigned.key -out /etc/ssl/certs/apache-selfsigned.crt


devops@devops-osetc:~$ sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/apache-selfsigned.key -out /etc/ssl/certs/apache-selfsigned.crt
[sudo] password for devops:
Can't load /home/devops/.rnd into RNG
140155030204864:error:2406F079:random number generator:RAND_load_file:Cannot open file:../crypto/rand/randfile.c:88:Filename=/home/devops/.rnd
Generating a RSA private key
writing new private key to '/etc/ssl/private/apache-selfsigned.key'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:NewYork
Locality Name (eg, city) []:city
Organization Name (eg, company) [Internet Widgits Pty Ltd]:osetc
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []
Email Address []

openssl: it is a basic command lien tool for createing or managing OpenSSL Certificates, keys or other files.
req: it is a sub command of openssl command, it is used to create certificate signing request.
-x509: create X.509 certificate.
-nodes: it will tell OpenSSL to skip the option to secure out certificate with a passphrase.
-days 365: This option sets the length of time that the certificate will be considered valid.
-newkey rsa:2048: create a new certificate request and 2048 bit RSA key.
-keyout: it tell OpenSSL where to place the generated private key file that you are creating.
-out: this tells OpenSSL where to place the certificate that you are creating.

Let’s check if the certificate and private keys are created, type:

devops@devops-osetc:~$ sudo ls /etc/ssl/private/apache-selfsigned.key

devops@devops-osetc:~$ sudo ls /etc/ssl/certs/apache-selfsigned.crt


You should know that how to create a self-signed certificate on your CentOS or Ubuntu Linux server with OpenSSL tool. And you can try to modify your Apache configuration to take advantage of those certificate files you are created.

You might also like:


back to top