Skip to main content

Create a Self-Signed SSL Certificate

important
  • The Subject Alt Names are required in Google Chrome 58 and later, and is used to match the domain name and the certificate.
  • If the domain name is not listed in the certificate's Subject Alternative Names list, you'll get a NET::ERR_CERT_COMMON_NAME_INVALID error message.

1. Generate an OpenSSL CSR Config with your domain information#

cat <<"EOF" | sudo tee /tmp/tls.conf > /dev/null[req]default_bits                    = 2048default_keyfile                 = tls.keydistinguished_name              = req_distinguished_namereq_extensions                  = req_extx509_extensions                 = v3_ca
[req_distinguished_name]countryName                     = Country Name (2 letter code)countryName_default             = LKstateOrProvinceName             = State or Province Name (full name)stateOrProvinceName_default     = Western ProvincelocalityName                    = Locality Name (eg, city)localityName_default            = ColomboorganizationName                = Organization Name (eg, company)organizationName_default        = Example (Private) LimitedorganizationalUnitName          = organizationalunitorganizationalUnitName_default  = DevelopmentcommonName                      = Common Name (e.g. server FQDN or YOUR name)commonName_default              = example.localcommonName_max                  = 64
[req_ext]subjectAltName                  = @alt_names
[v3_ca]subjectAltName                  = @alt_names
[alt_names]IP.1                            = 127.0.0.1DNS.1                           = localhostDNS.2                           = example.localDNS.3                           = *.example.localEOF

2. Generate the TLS Certificate and Key#

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -config /tmp/tls.conf
tip
  • Add the self-signed certificate to OS Trust Store
# On CentOSsudo cp tls.crt /etc/pki/ca-trust/source/anchors/tls.crtsudo update-ca-trust
# On Ubuntusudo cp tls.crt /usr/local/share/ca-certificates/tls.crtsudo update-ca-certificates
# On Windowscertutil.exe -addstore "Root" tls.crt
  • Generate a PFX certificate from tls.crt and tls.key
openssl pkcs12 -export -out tls.pfx -inkey tls.key -in tls.crt

3. References#

  1. Create a Self-Signed Certificate for Nginx in 5 Minutes
  2. Establishing Trust to Your Cluster’s CA and Importing Certificates
Last updated on by Yasitha Bogamuwa