2 min read

Creating a Self-Signed Server Certificate Using OpenSSL

Creating a self-signed server certificate can be a bit daunting, but with OpenSSL, it's a breeze. Follow this step-by-step guide to create your own self-signed server certificate.

Step 1: Create a Certificate Authority (CA)

First, we need to create a Certificate Authority (CA). The CA is responsible for signing the server certificate.

openssl req -x509 -newkey rsa:4096 -days 3650 -noenc -sha256 -utf8 -keyout ca-key.pem -out ca-cert.pem -subj \
    "/C=US/ST=Sample Region/L=Sample City/O=Sample Org/OU=Certificate Authority/CN=ca.sample.com/[email protected]"

This command generates a new private key (ca-key.pem) and a self-signed certificate (ca-cert.pem) valid for 10 years.

Step 2: Output the X.509 Certificate

To verify the details of the CA certificate, use the following command:

openssl x509 -in ca-cert.pem -noout -text

This command displays the certificate details in a human-readable format.

Step 3: Create a Server Certificate Signing Request (CSR)

Next, we need to create a Certificate Signing Request (CSR) for the server certificate.

openssl req -newkey rsa:4096 -noenc -utf8 -sha256 -keyout server-key.pem -out server-csr.pem -subj \
    "/C=US/ST=Sample Region/L=Sample City/O=Sample Org/OU=Certificate Authority/CN=server.sample.com/[email protected]"

This command generates a new private key (server-key.pem) and a CSR (server-csr.pem).

Step 4: Add Subject Alternative Name (SAN)

To include Subject Alternative Names (SAN) in the server certificate, use the following command:

openssl x509 -req -in server-csr.pem -days 3650 -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -out sample-cert.pem -extfile \
 &<(printf "extendedKeyUsage=serverAuth\nsubjectAltName=DNS:server.sample.com,DNS:localhost,IP:10.0.0.1")

This command signs the CSR with the CA certificate and includes the SANs server.sample.com, localhost, and 10.0.0.1.

Step 5: Output the Server X.509 Certificate

To verify the details of the server certificate, use the following command:

openssl x509 -in sample-cert.pem -noout -text

This command displays the server certificate details in a human-readable format.

Step 6: Verify the Certificate Chain

Finally, verify the certificate chain to ensure that the server certificate is correctly signed by the CA:

openssl verify -CAfile ca-cert.pem sample-cert.pem

This command verifies that the server certificate (sample-cert.pem) is signed by the CA certificate (ca-cert.pem).


And there you have it! You've successfully created a self-signed server certificate using OpenSSL. If you have any questions or need further assistance, feel free to ask. Happy coding! 😊