3.8. Self-signed certificates

The cost and administrative hassle of arranging to have a CSR signed by a real CA are clearly not worthwhile if all you want to do is to experiment with using HTTPS. For this sort of application it is possible to create a "self signed" certificate in which, in effect, you assert your own identity. Such a certificate will not be trusted by browsers, and they will typically display warning messages when a site protected by such a certificate is accessed.

In addition to displaying a warning message, Internet Explorer 7 turns the browser address bar red when accessing such a site.

Encouraging general web site visitors to accept such warnings is extremely dangerous, since doing so undermines much of the security that TLS provides. However, self-signed certificates have their place, and one can be created by adding the -x509 option to an openssl req command.

$ openssl req -new -newkey rsa:2048 -x509 -keyout self.key -out self.crt 
Generating a 2048 bit RSA private key
writing new private key to 'self.key'
Enter PEM pass phrase: password
Verifying - Enter PEM pass phrase:password

You are about to be asked to enter information that will be incorporated 
into your certificate request. 
What you are about to enter is what is called a Distinguished Name or a DN. 
There are quite a few fields but you can leave some blank 
For some fields there will be a default value, 
If you enter '.', the field will be left blank. 
Country Name (2 letter code) [AU]:GB 
State or Province Name (full name) [Some-State]:England
Locality Name (eg, city) []:Cambridge
Organization Name (eg, company) [Internet Widgits Pty Ltd]:University of Cambridge
Organizational Unit Name (eg, section) []:Computing Service
Common Name (eg, your name or your server's hostname) []: clt1.csi.cam.ac.uk
Email Address []:jw35@cam.ac.uk

Arguments used


used when creating a new CSR, rather than processing an existing one


specification of the key to generate


output a self-signed X509 certificate, rather than a CSR


name of the file to receive the certificate


name of the file to receive the key