Use openssl to create self-signed certificates and CSRs
Self-signed certificates offer the same level of encryption as commercial certificates, but you can generate them yourself and for longer durations of validity. University IT often uses self-signed certificates on development and test servers.
However, web browsers will present end users with an untrusted certificate warning if you use a self-signed certificate, so you should use a commercial certificate for your public-facing websites.
How to create self-signed certificates
These instructions employ the use of openssl. The first step is to create a private key and then the certificate. Be sure to keep the key in a secure location.
The example below creates a certificate with a 10-year (3652 days) validity. Replace <hostname> with the actual name of your server.
At the command line, enter:
head /dev/urandom > /dev/nullopenssl genrsa -rand /dev/urandom -out <hostname>.key 2048openssl req -new -x509 -days 3652 -key <hostname>.key -out <hostname>.pem
The last command will require you to answer several questions before creating <hostname>.pem.
Country Name (2 letter code) []: US
State or Province Name (full name) []: California
Locality Name (e.g., city) []: Stanford
Organization Name (e.g., company) []: Stanford University
Organizational Unit Name (e.g., section) []: University IT
Common Name (e.g., web.stanford.edu) []: example.stanford.edu
Email Address []:
You can typically leave the email address and challenge password fields blank.
How to create a key and a CSR
To create both the key and CSR with one command, enter the following:
head /dev/urandom > /dev/nullopenssl req -new -newkey rsa:2048 -rand /dev/urandom -nodes -keyout <hostname>.key -out <hostname>.csr
You will be prompted to enter the details for your certificate. For Common Name, use the fully qualified hostname of your server. Leave the passphrase and email address empty.
How to create a new CSR with existing private key and cert.
openssl x509 -x509toreq -in existing_cert.pem -out new_csr.csr -signkey private.key
This is the quickest way to renew an expiring cert.
If you are using an old version of openssl you should add the "-sha256" option to ensure that you use the SHA-256 hashing algorithm instead of the older and less secure SHA-1 hashing algorithm.
