How to use openssl to generate a self-signed x509 certificate?

Solution Verified - Updated 6 Aug 2024

Environment

Red Hat Enterprise Linux

Issue

I know OpenSSL can be used to make SSL certificates for use with Apache httpd ... how to do it?
I previously used the genkey command to generate self-signed certificates but it did not give me enough options and I need to specify a non-md5 digest. How can I do this with openssl?

Resolution

Traditional Two-Step Method

Generate a new RSA private key (1024, 2048, 3072, or 4096 bits), e.g.:
```
$ openssl genrsa 2048 >/etc/pki/tls/private/$(hostname).key
```

Use the new private key to generate a self-signed certificate, e.g.:

$ openssl req -new -key /etc/pki/tls/private/$(hostname).key -x509 -days XXX -out /etc/pki/tls/certs/$(hostname).crt

An example of the above can be found on any system on which mod_ssl is installed
Simply inspect the mod_ssl rpm scripts, e.g.:
```
$ rpm -q --scripts mod_ssl
```

Alternative One-Step Method

Create the key and the cert in one step, e.g.:

$ openssl req -x509 -newkey rsa:2048 -keyout /etc/pki/tls/private/$(hostname).key -out /etc/pki/tls/certs/$(hostname).crt -days XXX -nodes

Note: without the -nodes option, the resulting private key will be encrypted with a passphrase supplied by the user

Optional Final Steps

Inspect the resulting self-signed certificates with the x509 sub-command, e.g.:
```
$ openssl x509 -in /etc/pki/tls/certs/$(hostname).crt -text -noout
```
For more on creating keys or certs with openssl, see man pages:
```
$ man genrsa
$ man req
```

SBR

Product(s)

Red Hat Enterprise Linux

Category

Secure

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.