Skip to main content

Create Self-Signed TLS Certificates

When You Should Do This

If you have an internal/demo/test server where you'd like to encrypt traffic between a client and server, you can create a self-signed certificate. This is not good practice for production servers. Whenever possible, you should request certificates from trusted Certificate Authorities and use a certificate for a verified domain. Unless you have split DNS where your internal domain uses the same domain as the external zone, then this will not be possible.



Create the Self-Signed Certificate

REMEMBER! When you navigate to the service configured with this certificate, the certificate is not going to be trusted.

# I like creating the certificate and key files using the service name
# Certifiacte expires in 10 years (3650 days)
openssl req -new -newkey rsa:4096 -x509 -sha256 -days 3650 -nodes -out /etc/ssl/service-name.crt -keyout /etc/ssl/service-name.key
chmod 400 /etc/ssl/service-name.key