Self-Signed Certificate How-To

By | 2016-09-27

This guide will show you how to create a self-signed certificate with various tools.

Quick Reference

OpenSSL

With New RSA Key

openssl req -days 500 -newkey rsa:4096 -keyout privkey.pem -nodes -sha256 -x509 -out cert.pem

With Existing RSA Key

openssl req -days 500 -key privkey.pem -nodes -sha256 -x509 -out cert.pem
Option Required What It Does
req Yes Instructs OpenSSL to use its certificate signing request functionality.
-days 500 No Specifies how many days from today until the certificate expires. In this example, it is set to 500 days. If not specified, the default value from your OpenSSL configuration file is used.
-newkey rsa:4096 No Instructs OpenSSL to create a 4096 bit RSA key. If this is not included, a key with the default key length specified in your OpenSSL configuration file will be generated.
-keyout privkey.pem No Instructs OpenSSL to write the newly generated private key to the file privkey.pem. If left out, the default filename will be used.
-nodes No Prevents OpenSSL from encrypting the private key file. Without this, you will be prompted for a password that will by used to encrypt it.
-sha256 No Uses sha256 to sign the request and certificate. Your default is used if this is left out. Other algorithms such as SHA512 or MD5 can be used.
-x509 Yes Outputs a self-signed certificate instead of a CSR.
-out cert.pem No Writes the output to the file cert.pem instead of standard output.
-key privkey.pem Yes, if using an existing key, otherwise no. Reads the RSA private key from privkey.pem. Without it, a new key will be generated.

Keytool

keytool -genkeypair -alias mycert -keystore keys.jks -validity 500 -keyalg RSA -keysize 4096
Option Required What It Does
-genkeypair Yes Instructs keytool to generate an asymmetric key pair and self-signed certificate.
-alias mycert No Sets the keystore alias of the certificate to mycert. If omitted, the alias will be set to mykey.
-keystore keys.jks No Specifies the keystore file to add the certificate and keys to. This defaults to .keystore in your home directory.
-validity 500 No Sets the certificate expiration to 500 days from when you run the command. The default is 90 days.
-keyalg RSA No Use RSA for the asymmetric encryption algorithm. The default is DSA.
-keysize 4096 No Use a 4096 bit key. The default depends on the keyalg. They are 2048 bit for RSA, 256 bit for Elliptic Curve, and 1024 bit for DSA.

NSS

If you don’t already have an NSS certificate database, create one with this command:

certutil -N -d /home/tyler/cert_db_dir 

Generate the certificate:

certutil -S -d /home/tyler/cert_db_dir -n tyler -t u,u,u -v 6 -s CN=tylersguides.com,O=tg -x
Option Required What It Does
-N Yes, if creating a new database. Create a new certificate database.
-d /home/tyler/cert_db_dir No Use the directory /home/tyler/cert_db_dir as the certificate database. If omitted, the default is ~/.netscape on UNIX like systems and the current directory on Windows.
-S Yes Instructs certutil to create a certificate.
-n tyler Yes The name of the certificate in the database.
-t u,u,u Yes The trust settings of the certificate. In this case, it is set for authentication and signing for SSL, email, and object signing, respectively. See the NSS Tools certutil documentation for more information.
-v 6 No Sets the certificate expiration to 6 months from now. The default is 3 months.
-s CN=tylersguides.com,O=tg Yes The subject of the certificate will be CN=tylersguides.com,O=tg
-x Yes Create a self-signed certificate.

GnuTLS

If you need to generate a key pair:

certtool -p --bits=4096 --outfile=privkey.pem

Generate the certificate

certtool -s --load-privkey=privkey.pem
Option Required What It Does
-p Yes Creates a new private key.
–bits=4096 No Sets the key length to 4096 bits. The default is 2048.
–outfile=privkey.pem No Writes the private key to the file privkey.pem. The default is standard output.
Option Required What It Does
-s Yes Creates a self-signed certificate.
–load-privkey=privkey.pem Yes Use the private key stored in the file privkey.pem.

Quick Reference

openssl req -days 500 -newkey rsa:4096 -keyout privkey.pem -nodes -sha256 -x509 -out cert.pem
openssl req -days 500 rsa:4096 -key privkey.pem -nodes -sha256 -x509 -out cert.pem
keytool -genkeypair -alias mycert -keystore keys.jks -validity 500 -keyalg RSA -keysize 4096
certutil -N -d /home/tyler/cert_db_dir
certutil -S -d /home/tyler/cert_db_dir -n tyler -t u,u,u -v 6 -s CN=tylersguides.com,O=tg -x
certtool -p --bits=4096 --outfile=privkey.pem
certtool -s --load-privkey=privkey.pem

References

Discuss