Skip to content Skip to site navigation Skip to service navigation

Creating a Self-Signed Certificate

Use openssl to create self-signed certificates and CSRs

Self-signed certificates offer the same level of encryption as commercial certificates, but you can generate them yourself and for longer durations of validity. University IT often uses self-signed certificates on development and test servers.

However, web browsers will present end users with an untrusted certificate warning if you use a self-signed certificate, so you should use a commercial certificate for your public-facing websites.

How to create self-signed certificates

These instructions employ the use of openssl. The first step is to create a private key and then the certificate. Be sure to keep the key in a secure location.

The example below creates a certificate with a 10-year (3652 days) validity. Replace <hostname> with the actual name of your server.

At the command line, enter:

  • head /dev/urandom > /dev/null
  • openssl genrsa -rand /dev/urandom -out <hostname>.key 2048
  • openssl req -new -x509 -days 3652 -key <hostname>.key -out <hostname>.pem

The last command will require you to answer several questions before creating  <hostname>.pem.

Country Name (2 letter code) []: US
State or Province Name (full name) []: California
Locality Name (e.g., city) []: Stanford
Organization Name (e.g., company) []: Stanford University
Organizational Unit Name (e.g., section) []: University IT
Common Name (e.g., []:
Email Address []:

You can typically leave the email address and challenge password fields blank.

How to create a key and a CSR

To create both the key and CSR with one command, enter the following:

  • head /dev/urandom > /dev/null
  • openssl req -new -newkey rsa:2048 -rand /dev/urandom -nodes -keyout <hostname>.key -out <hostname>.csr

You will be prompted to enter the details for your certificate. For Common Name, use the fully qualified hostname of your server. Leave the passphrase and email address empty.

How to create a new CSR with existing private key and cert.

openssl x509 -x509toreq -in existing_cert.pem -out new_csr.csr -signkey private.key

This is the quickest way to renew an expiring cert.

If you are using an old version of openssl you should add the "-sha256" option to ensure that you use the SHA-256 hashing algorithm instead of the older and less secure SHA-1 hashing algorithm.

Last modified February 5, 2016