This post shows students and new users steps to generate or create self-signed SSL/TLS certificates on Ubuntu to use locally with Nginx or Apache web servers.
A self-signed SSL certificate is signed by the creator rather than a trusted third-party certificate authority (CA). Self-signed certificates can have the same level of encryption as trusted CA-signed SSL certificates.
Web browsers do not see self-signed certificates as valid. That’s why when you browse to a host using self-signed certificates with any web browser, you’ll be prompted with a warning that the certificate can not be trusted.
Most self-signed certificates are specifically created to use internally or in a development environment. Websites or applications on the public internet do not use self-signed certificates because major web browsers can’t trust them.
If you’re a student or new user learning Linux, Ubuntu Linux is the easiest place to start learning. Ubuntu is the modern, open-source Linux operating system for desktops, servers, and other devices.
To start creating self-signed certificates on Ubuntu Linux, follow the steps below.
How to create self-signed certificates on Ubuntu Linux
The OpenSSL toolkit is required to generate an SSL/TLS certificate on Ubuntu. This tool is usually installed on Ubuntu Linux by default. If not, run the commands below to install it on Ubuntu.
sudo apt update sudo apt install openssl
To create a new Self-Signed SSL Certificate, use the openssl req command. Below is the command to generate an SSL/TLS certificate for the example.com domain.
openssl req -newkey rsa:4096 -x509 -sha256 -days 365 -nodes -out example.crt -keyout example.key
The command details are as follows:
- -newkey rsa:2048 – creates a new certificate request and 2048 bit RSA key.
- -x509 – creates a X.509 certificate.
- -sha256 – use 265-bit SHA (Secure Hash Algorithm) to create the certificate
- -days 365 – the number of days to certify the certificate for. Typically a year or more
- -nodes – creates a key without a passphrase.
- -out example.crt – specifies the filename to write the newly created certificate to
- -keyout example.key – specifies the filename to write the private key to.
Once you press ENTER, the command will generate a private key and prompt you with questions to generate the certificate.
Generating a RSA private key
...................................++++
............................++++
writing new private key to 'example.key'
-----
You’ll provide these answers similar to the ones below. Replace details with your own that represent the certificate you’re generating.
Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:New York Locality Name (eg, city) []:New York Organization Name (eg, company) [Internet Widgits Pty Ltd]:EXAMPLE, Inc. Organizational Unit Name (eg, section) []:Publishing Common Name (e.g. server FQDN or YOUR name) []:example.com Email Address []:admin@example.com
After that, two files (example.crt and example.key) will be created in the directory you ran the command. Use these files in your Nginx or Apache setup to enable HTTPS connections.
That should do it.
Conclusion:
This post showed you how to create self-signed SSL/TLS certificates on Ubuntu Linux. Please use the comment form below if you find any errors above or have something to add.
Leave a Reply