1. Overview

OpenSSL is an open-source command-line tool that allows users to perform various SSL-related tasks.

In this tutorial, we’ll learn how to create a self-signed certificate with OpenSSL.

Further reading:

Trusting a Self-Signed Certificate in OkHttp

Learn how to configure an OkHttpClient to trust self-signed certificates

Converting a PEM File to Java KeyStore Format

Learn how to convert certificates from a PEM (Privacy Enhanced Email) file to JKS (Java KeyStore) format using the <em>openssl</em> and <em>keytool</em> command-line utilities.

HTTPS using Self-Signed Certificate in Spring Boot

Explore how to generate a self-signed certificate to enable HTTPS in a Spring Boot application.

2. Creating a Private Key

First, we’ll create a private key. A private key helps to enable encryption, and is the most important component of our certificate.

Let’s create a password-protected, 2048-bit RSA private key (domain.key) with the openssl command:

openssl genrsa -des3 -out domain.key 2048

We’ll enter a password when prompted. The output will look like:

Generating RSA private key, 2048 bit long modulus (2 primes)
e is 65537 (0x010001)
Enter pass phrase for domain.key:
Verifying - Enter pass phrase for domain.key:

If we want our private key unencrypted, we can simply remove the -des3 option from the command.

3. Creating a Certificate Signing Request

If we want our certificate signed, we need a certificate signing request (CSR). The CSR includes the public key and some additional information (such as organization and country).

Let’s create a CSR (domain.csr) from our existing private key:

openssl req -key domain.key -new -out domain.csr

We’ll enter our private key password and some CSR information to complete the process. The output will look like:

Enter pass phrase for domain.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:AU
State or Province Name (full name) [Some-State]:stateA                        
Locality Name (eg, city) []:cityA
Organization Name (eg, company) [Internet Widgits Pty Ltd]:companyA
Organizational Unit Name (eg, section) []:sectionA
Common Name (e.g. server FQDN or YOUR name) []:domain
Email Address []:[email protected]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

An important field is “Common Name,” which should be the exact Fully Qualified Domain Name (FQDN) of our domain.

A challenge password” and “An optional company name” can be left empty.

We can also create both the private key and CSR with a single command:

openssl req -newkey rsa:2048 -keyout domain.key -out domain.csr

If we want our private key unencrypted, we can add the -nodes option:

openssl req -newkey rsa:2048 -nodes -keyout domain.key -out domain.csr

4. Creating a Self-Signed Certificate

A self-signed certificate is a certificate that’s signed with its own private key. It can be used to encrypt data just as well as CA-signed certificates, but our users will be shown a warning that says the certificate isn’t trusted.

Let’s create a self-signed certificate (domain.crt) with our existing private key and CSR:

openssl x509 -signkey domain.key -in domain.csr -req -days 365 -out domain.crt

The -days option specifies the number of days that the certificate will be valid.

We can create a self-signed certificate with just a private key:

openssl req -key domain.key -new -x509 -days 365 -out domain.crt

This command will create a temporary CSR. We still have the CSR information prompt, of course.

We can even create a private key and a self-signed certificate with just a single command:

openssl req -newkey rsa:2048 -keyout domain.key -x509 -days 365 -out domain.crt

5. Creating a CA-Signed Certificate With Our Own CA

We can be our own certificate authority (CA) by creating a self-signed root CA certificate, and then installing it as a trusted certificate in the local browser.

5.1. Create a Self-Signed Root CA

Let’s create a private key (rootCA.key) and a self-signed root CA certificate (rootCA.crt) from the command line:

openssl req -x509 -sha256 -days 1825 -newkey rsa:2048 -keyout rootCA.key -out rootCA.crt

5.2. Sign Our CSR With Root CA

First, we’ll create a configuration text-file (domain.ext) with the following content:

subjectAltName = @alt_names
DNS.1 = domain

The “DNS.1” field should be the domain of our website.

Then we can sign our CSR (domain.csr) with the root CA certificate and its private key:

openssl x509 -req -CA rootCA.crt -CAkey rootCA.key -in domain.csr -out domain.crt -days 365 -CAcreateserial -extfile domain.ext

As a result, the CA-signed certificate will be in the domain.crt file.

6. View Certificates

We can use the openssl command to view the contents of our certificate in plain text:

openssl x509 -text -noout -in domain.crt

The output will look like:

        Version: 1 (0x0)
        Serial Number:
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = AU, ST = stateA, L = cityA, O = companyA, OU = sectionA, CN = domain, emailAddress = [email protected]
            Not Before: Jul 12 07:18:18 2021 GMT
            Not After : Jul 12 07:18:18 2022 GMT
        Subject: C = AU, ST = stateA, L = cityA, O = companyA, OU = sectionA, CN = domain, emailAddress = [email protected]
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha256WithRSAEncryption

7. Convert Certificate Formats

Our certificate (domain.crt) is an X.509 certificate that’s ASCII PEM-encoded. We can use OpenSSL to convert it to other formats for multi-purpose use.

7.1. Convert PEM to DER

The DER format is usually used with Java. Let’s convert our PEM-encoded certificate to a DER-encoded certificate:

openssl x509 -in domain.crt -outform der -out domain.der

7.2. Convert PEM to PKCS12

PKCS12 files, also known as PFX files, are usually used for importing and exporting certificate chains in Microsoft IIS.

We’ll use the following command to take our private key and certificate, and then combine them into a PKCS12 file:

openssl pkcs12 -inkey domain.key -in domain.crt -export -out domain.pfx

8. Conclusion

In this article, we learned how to create a self-signed certificate with OpenSSL from scratch, view this certificate, and convert it to other formats. We hope these things help with your work.

Course – LSS (cat=Security/Spring Security)
announcement - icon

I just announced the new Learn Spring Security course, including the full material focused on the new OAuth2 stack in Spring Security:


res – Security (video) (cat=Security/Spring Security)