# How can I create a self-signed certificate with openssl?

The simplest way to create a self-signed certificate is to use OpenSSL with the following one-liner:

$openssl req -new -x509 -sha256 -newkey rsa:2048 -nodes \ -keyout key.pem -out cert.pem -days 3650 \ -subj "/C=US/ST=NY/L=New York/O=Foo Corp/OU=Bar Div/CN=www.foo.com" \ -config self-signed.conf It is often useful to create a single .pem file containing both the key and the cert: $ cat key.pem cert.pem >self-signed.pem

These steps also work on Windows, except that you will need to use openssl.exe and type to concatenate the files:

C:\path\to\wherever> type key.pem cert.pem >self-signed.pem

This resulting .pem file can be used by a webserver to provide HTTPS, but will generally result in web browsers being reluctant to display the resulting webpages, precisely because the certificate is self-signed.

It is easy enough to click through the sequence of warning dialogue boxes that browsers present the user with and get the browser to accept the certificate. Sometimes however, users would prefer to explicitly trust the certificate and avoid the ominous red warning signs that browsers typically decorate the address bar with when rendering pages encrypted with the certificate (see next question). Some browsers, notably Chrome, are more demanding of the certificate and require further structure; most versions of OpenSSL need directives provided via a configuration file to create this structure. For example, a configration file self-signed.conf with the following content:

[req]
x509_extensions = x509_ext
distinguished_name = dn

[dn]
CN = www.foo.com

[x509_ext]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1 = www.foo.com
DNS.2 = *.foo.com
IP.1 = 127.0.0.1

can be provided to OpenSSL via the -config option:

\$ openssl req -new -x509 -sha256 -newkey rsa:2048 -nodes -keyout key.pem -out cert.pem -days 3650 -subj "/C=US/ST=NY/L=New York/O=Foo Corp/OU=Bar Div/CN=www.foo.com" -config self-signed.conf

Note: this content is a digest of several answers provided in this StackOverflow thread.