Skip to main content

Create Self-Signed TLS Certificates

When You Should Do This

If you have an internal/demo/test server where you'd like to encrypt traffic between a client and server, you can create a self-signed certificate. This is not good practice for production servers. Whenever possible, you should request certificates from trusted Certificate Authorities and use a certificate for a verified domain. Unless you have split DNS where your internal domain uses the same domain as the external zone, then this will not be possible. Alternatively, you could use the same DNS zone and an alternate TLD for your internal DNS and certificates.

Create the Self-Signed Certificate

REMEMBER! When you navigate to the service configured with this certificate, the certificate is not going to be trusted.

# I like creating the certificate and key files using the service name
# Certifiacte expires in 10 years (3650 days)
openssl req -new -newkey rsa:4096 -x509 -sha256 -days 3650 -nodes -out /etc/ssl/service-name.crt -keyout /etc/ssl/service-name.key
chmod 400 /etc/ssl/service-name.key