SSL Tutorial #1: Creating Self-signed SSL CA Certificate and Issuing Own Domain Certificate

Create a single self-signed website cert

If you only need a cert for one or a few domains, there is no need to create a CA cert. A single website cert is enough.

Generate SSL key and cert file

openssl req -x509 -days 3650 -newkey rsa:2048 -nodes -keyout mydomain.key -out mydomain.crt


  • openssl — A widely used application to generate SSL keys.
  • req — Tell OpenSSL that you want to generate keys and certs.
  • -x509 — Tell OpenSSL that to generate self-signed cert file, not cert request file.
  • -days 3650 — The cert will be valid for 3650 days (approx 10 years).
  • -newkey rsa:2048 — The cert will be encrypted using RSA method, key length is 2048 bits.
  • -nodes — Read as ‘No -des’, meaning w/o passphrase. You may remove this option for enhanced safety, but will be inconvenient because you have to enter passphrase every time you start Apache/Nginx.
  • -keyout mydomain.key — Write key to myca.key file. You can specify your own file name.
  • -out mydomain.crt — Write cert to myca.crt file. You can specify your own file name.

Specify cert details

You’ll see something like this:

Generating a 4096 bit RSA private key
writing new private key to 'mydomain.key'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.

Then like this:

Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:California
Locality Name (eg, city) [Default City]:Los Angeles
Organization Name (eg, company) [Default Company Ltd]:Example & Co.
Organizational Unit Name (eg, section) []:Public Relationship
Common Name (eg, your name or your server's hostname) []
Email Address []

You can leave anything blank except ‘Common Name’. Common name is your exact domain name (e.g. You may use * for wildcard (e.g. *, which covers all subdomains except ‘’.

See Tutorial #2 on how to configure SSL on Apache on SL6/CentOS6.

Creating a self-signed CA cert

Generate SSL key and cert file

openssl req -x509 -days 3650 -newkey rsa:4096 -nodes -keyout myca.key -out myca.crt

See 1.1 above for explanation.

Specify cert details

See 1.2 above for explanation, except that you may write anything to ‘Common name’.

Issue a website cert using CA cert

Create a website cert request

mkdir mysite
cp myca.key mysite/ca.key
cp myca.crt mysite/ca.crt
cd mysite
openssl req -new -newkey rsa:2048 -nodes -keyout mysite.key -out mysite.csr

Essentially, this is similar to 1.1, except that:

  1. you don’t specify -x509 option but -new option, meaning you get a cert request rather than cert file.
  2. no need to specify -days option.

Sign with CA cert

Although you may use OpenSSL to sign the CA cert, it is better to utilize a shell script.

tar xvf mod_ssl-2.8.31-1.3.41.tar.gz
cp mod_ssl-2.8.31-1.3.41/pkg.contrib/ .
chmod 744

You need to modify it before running it.

  1. Change the line default_days = 365 to default_days = 3650, i.e. 10 yrs.
  2. Change the line default_md = md5 to default_md = sha1, because Firefox 16+ thinks md5 is a vulnerable signature algorithm and will display a warning.
  3. If you have already created any website certs with this CA cert, then change the line echo '01' >ca.db.serial to a greater number, because Firefox will block the cert if duplicated serial number is found.

Then run the script.

./ mysite.csr

That’s it! Now you get mysite.crt which is authenticated by myca.crt.

See Tutorial #2 on how to configure SSL on Apache on SL6/CentOS6.

Caveat on playing with cert files

You may have come across these files: .csr, .crt, .key, .pem, etc. What are they?

  • .csr — Certificate Signing Request. This file contains your information inputted in section 1.1 above and public key. Used to request signing from CA. Can be publicly exposed.
  • .crt, .cer — Certificate. This is your certificate file which contains your information, public key and signature. It differs from .csr in that it is signed — either by a CA or yourself. Can and should be publicly released.
  • bundle.crt — CA Certificate Bundle. This is a collection of CA certs which contains any intermediate CA certs and a root CA cert. Can be publicly exposed.
  • .key — Private Key. This is your private key in encryption algorithm. NEVER expose it to public! It is said that private keys of root CA’s are physically locked in coffer.
  • .pem — Privacy Enhanced Mail. This includes both public key and private key. Never expose it to public.
  • .der — Distinguished Encoding Rules. Basically the same as .pem, but in binary rather than in base64.
  • .p7b, .p12, .pfx, etc. — May contains multiple certs and keys. Also never expose to public.


  1. OpenSSL: Documents, req(1)
  2. OpenSSL: Documents, ca(1)

Leave a Comment

Your email address will not be published. Required fields are marked *