How to Generate Self-Signed TLS Certificates Using OpenSSL

Written By Mateus Quaresma

Introduction

Transport Layer Security (TLS) certificates play a crucial role in securing communications over networks. A self-signed TLS certificate is useful for internal applications, testing, or secure communications where a Certificate Authority (CA) is not required. This guide provides a step-by-step process to generate self-signed TLS certificates using OpenSSL.

Before moving forward, remember that a self-signed certificate is a TLS/SSL certificate that is signed by the same entity that creates it, rather than by a trusted Certificate Authority (CA). It is primarily used for internal applications, testing, or development environments where trust is manually established. Unlike CA-signed certificates, self-signed certificates are not automatically trusted by browsers or operating systems, which may cause security warnings unless explicitly added to a trust store.

Prerequisites

  • OpenSSL installed on your system (Linux, macOS, or Windows with WSL).
  • Basic command-line knowledge.

Step 1: Generate a Private Key for the CA

First, generate a private key for the Certificate Authority (CA). This key is used to sign certificates.

openssl genrsa -aes256 -out ca-key.pem 4096

Step 2: Create a Self-Signed CA Certificate

Generate a self-signed CA certificate using the previously generated private key. The certificate is valid for 1 year (365 days).

openssl req -new -x509 -sha256 \
-days 365 \
-key ca-key.pem \
-subj "/C=<country-id>/ST=<state-name>/L=<location-name>/O=<org-name>/OU=<org-unit-name>/CN=Test-CA/emailAddress=ca@test.com" \
-out ca.pem

Step 3: Verify the CA Certificate

To ensure the certificate was generated correctly, inspect it with:

openssl x509 -in ca.pem -text

Step 4: Generate a Private Key for the Server Certificate

This is the certificate that will be used for testing

Create a new private key for the server certificate:

openssl genrsa -out cert-key.pem 4096

Step 5: Generate a Certificate Signing Request (CSR)

Use the private key to generate a CSR, specifying a Common Name (CN) as needed.

openssl req -new -sha256 -subj "/CN=workload-identifier" -key cert-key.pem -out cert.csr

Step 6: Create an Extensions File

To specify additional attributes like Subject Alternative Name (SAN), create an extensions file:

echo "subjectAltName=URI:spiffe://workload/identifier" >> extfile.cnf

Alternatively, extensions can be added directly:

openssl req -new -x509 -sha256 -addext "subjectAltName = URI:spiffe://workload/identifier"

Step 7: Generate the Server Certificate

Sign the CSR using the CA certificate and private key to generate the final certificate.

openssl x509 -req -sha256 -days 365 \
-in cert.csr \
-CA ca.pem \
-CAkey ca-key.pem \
-out cert.pem \
-extfile extfile.cnf \
-CAcreateserial

Conclusion

You have successfully generated a self-signed TLS certificate using OpenSSL. This certificate can be used for internal applications, development, and testing purposes. For production use, consider obtaining a certificate from a trusted Certificate Authority.

References

  1. OpenSSL req documentation
  2. OpenSSL quick reference guide
Mateus Quaresma