Skip to content

OpenSSL Self-Signed Certificate generation

OpenSSL Self-Signed Certificate generation is a process used to create a [[Certificate Authority|CA]] certificate where the issuer and the entity are the same. This technique is commonly employed for development and testing environments where a public CA is not required^[600-developer-tools-security-openssl.md].

Context and Use Cases

In public key infrastructure, a fundamental challenge is the "Public key distribution problem": verifying that a retrieved public key is authentic^[600-developer-tools-security-openssl.md]. While production environments solve this using trusted [[Certificate Authorities|CAs]], Self-signed certificates allow a developer to act as their own CA^[600-developer-tools-security-openssl.md].

To use these certificates effectively within a development environment, the generated Self-Signed Certificate must be imported into the operating system's "Trusted Root Certification Authorities" store^[600-developer-tools-security-openssl.md].

Generation Procedure

The following steps outline how to generate a Root CA certificate and private key using OpenSSL.

1. Generate Private Key

First, generate a 4096-bit RSA private key for the Root CA. Using the -des3 flag enables Triple-DES encryption on the key, requiring a password to be set during creation^[600-developer-tools-security-openssl.md].

[OpenSSL](<./openssl.md>) genrsa -des3 -out rootCA.key 4096

2. Generate Self-Signed Certificate

Next, use the private key to create a self-signed X.509 certificate^[600-developer-tools-security-openssl.md].

[OpenSSL](<./openssl.md>) req -x509 -new -nodes -key rootCA.key -sha256 -days 36500 -out rootCA.crt

Command breakdown: * req: Certificate signing request utility. * -x509: Outputs a Self-Signed Certificate instead of a certificate request. * -new: Creates a new certificate request. * -nodes: Disables DES encryption of the private key in the output (if generating a key simultaneously, though here the key is input). * -key rootCA.key: The private key to use. * -sha256: Specifies the digest algorithm. * -days 36500: Sets the validity period (e.g., 100 years).

Sources

  • 600-developer-tools-security-openssl.md