OpenSSL provides cryptographic libraries and features. We can use OpenSSL from reading DER files to generate random numbers. But one of the most used feature is creating a Self Signed Certificate. ,
Self Signed Certificate
X509 is the certificate standard used in internet and corporate today. X509 certificates are designed to create a tree like trust hierarchy between X509 certificates. For example Google is a trusted entity and
poftut.com is another entity trusted by Google so we created a chain with this trust relationship. But as we see there is always a root. Self signed certificates are not signed by other certificates which means they may be used as root certificate or as standalone.
Create Self Signed Certificate
We can create a self signed X509 certificate by using OpenSSL
req verb. Other options are
- Algorithm is RSA
- Key size is 4096 bit
- Format is PEM
- Until valid 365 days
$ openssl req -x509 -newkey rsa:4096 -keyout mycert.pem -out cert.pem -days 360
Create Self Signed Certificate without Encrypting
In previous step we will be asked for the password with the following phrase
We can prevent the encrytion of the created Self signed certificate with the
-node option like below.
$ openssl req -x509 -node -newkey rsa:4096 -keyout mycert.pem -out cert.pem -days 360
Self Signed Certificate Errors and Warnings
As stated before self signed certificates to not enter a trust relationship with other certificates. This is generally creates some errors and warnings especially by browsers. Browsers uses Certificate Authorities Root Certificates to check trust of the provided certificate. Because self signed certificate is not signed by any of them browser will show a warning message .
1 thought on “How To Create Self Signed Root Certificate with OpenSSL”
https://certificatetools.com makes this very simple and generates the OpenSSL commands you can use to do it offline.