This guide will show you how to create a self-signed certificate with various tools.
OpenSSL
With New RSA Key
openssl req -days 500 -newkey rsa:4096 -keyout privkey.pem -nodes -sha256 -x509 -out cert.pemWith Existing RSA Key
openssl req -days 500 -key privkey.pem -nodes -sha256 -x509 -out cert.pem| Option | Required | What It Does |
|---|---|---|
| req | Yes | Instructs OpenSSL to use its certificate signing request functionality. |
| -days 500 | No | Specifies how many days from today until the certificate expires. In this example, it is set to 500 days. If not specified, the default value from your OpenSSL configuration file is used. |
| -newkey rsa:4096 | No | Instructs OpenSSL to create a 4096 bit RSA key. If this is not included, a key with the default key length specified in your OpenSSL configuration file will be generated. |
| -keyout privkey.pem | No | Instructs OpenSSL to write the newly generated private key to the file privkey.pem. If left out, the default filename will be used. |
| -nodes | No | Prevents OpenSSL from encrypting the private key file. Without this, you will be prompted for a password that will by used to encrypt it. |
| -sha256 | No | Uses sha256 to sign the request and certificate. Your default is used if this is left out. Other algorithms such as SHA512 or MD5 can be used. |
| -x509 | Yes | Outputs a self-signed certificate instead of a CSR. |
| -out cert.pem | No | Writes the output to the file cert.pem instead of standard output. |
| -key privkey.pem | Yes, if using an existing key, otherwise no. | Reads the RSA private key from privkey.pem. Without it, a new key will be generated. |
Keytool
keytool -genkeypair -alias mycert -keystore keys.jks -validity 500 -keyalg RSA -keysize 4096| Option | Required | What It Does |
|---|---|---|
| -genkeypair | Yes | Instructs keytool to generate an asymmetric key pair and self-signed certificate. |
| -alias mycert | No | Sets the keystore alias of the certificate to mycert. If omitted, the alias will be set to mykey. |
| -keystore keys.jks | No | Specifies the keystore file to add the certificate and keys to. This defaults to .keystore in your home directory. |
| -validity 500 | No | Sets the certificate expiration to 500 days from when you run the command. The default is 90 days. |
| -keyalg RSA | No | Use RSA for the asymmetric encryption algorithm. The default is DSA. |
| -keysize 4096 | No | Use a 4096 bit key. The default depends on the keyalg. They are 2048 bit for RSA, 256 bit for Elliptic Curve, and 1024 bit for DSA. |
NSS
If you don’t already have an NSS certificate database, create one with this command:
certutil -N -d /home/tyler/cert_db_dir Generate the certificate:
certutil -S -d /home/tyler/cert_db_dir -n tyler -t u,u,u -v 6 -s CN=tylersguides.com,O=tg -x| Option | Required | What It Does |
|---|---|---|
| -N | Yes, if creating a new database. | Create a new certificate database. |
| -d /home/tyler/cert_db_dir | No | Use the directory /home/tyler/cert_db_dir as the certificate database. If omitted, the default is ~/.netscape on UNIX like systems and the current directory on Windows. |
| -S | Yes | Instructs certutil to create a certificate. |
| -n tyler | Yes | The name of the certificate in the database. |
| -t u,u,u | Yes | The trust settings of the certificate. In this case, it is set for authentication and signing for SSL, email, and object signing, respectively. See the NSS Tools certutil documentation for more information. |
| -v 6 | No | Sets the certificate expiration to 6 months from now. The default is 3 months. |
| -s CN=tylersguides.com,O=tg | Yes | The subject of the certificate will be CN=tylersguides.com,O=tg |
| -x | Yes | Create a self-signed certificate. |
GnuTLS
If you need to generate a key pair:
certtool -p --bits=4096 --outfile=privkey.pemGenerate the certificate
certtool -s --load-privkey=privkey.pem| Option | Required | What It Does |
|---|---|---|
| -p | Yes | Creates a new private key. |
| –bits=4096 | No | Sets the key length to 4096 bits. The default is 2048. |
| –outfile=privkey.pem | No | Writes the private key to the file privkey.pem. The default is standard output. |
| Option | Required | What It Does |
|---|---|---|
| -s | Yes | Creates a self-signed certificate. |
| –load-privkey=privkey.pem | Yes | Use the private key stored in the file privkey.pem. |
Quick Reference
openssl req -days 500 -newkey rsa:4096 -keyout privkey.pem -nodes -sha256 -x509 -out cert.pem
openssl req -days 500 rsa:4096 -key privkey.pem -nodes -sha256 -x509 -out cert.pem
keytool -genkeypair -alias mycert -keystore keys.jks -validity 500 -keyalg RSA -keysize 4096
certutil -N -d /home/tyler/cert_db_dir
certutil -S -d /home/tyler/cert_db_dir -n tyler -t u,u,u -v 6 -s CN=tylersguides.com,O=tg -x
certtool -p --bits=4096 --outfile=privkey.pem
certtool -s --load-privkey=privkey.pem
References
- OpenSSL Documentation
- NSS Tools Certutil Documentation
- Introduction to Cryptography
- GnuTLS Documentation
- Keytool Documentation
- Internet Engineering Task Force RFC 5246 (TLS 1.2)
- Internet Engineering Task Force RFC 7468 (Textual Encodings of PKIX, PKCS, and CMS Structures)
- Internet Engineering Task Force RFC 5280 (X.509 PKI and CRL Profile)
- Internet Engineering Task Force RFC 2437 (PKCS #1 RSA Cryptography Specifications Version 2.0)