Create a self signed SSL certificate with Subject Alternative Name

In my line of work, I do a lot of testing and configuration of web based security products. Most times, these web based applications or appliances require SSL certificates to ensure that communication to and from the server are encrypted.

Purchasing an SSL certificate issued from a trusted certificate authority (CA) like Thawte or Verisign can cost upwards of $200. SSL certificates purchased from a CA should be reserved for internet facing production machines.

Another option is to check if your organization owns an internal certificate authority. This certificate authority will likely be managed by the IT security team. The downside of obtaining a cert thru this route is that you will need to deal with the owners of the certificate authority. This may lead to delays in getting the certificate that you need to do your work.

In your development or test environments, using self signed SSL certificates typically are the easiest and cheapest way to enable SSL. Here are the steps to generate a self signed SSL certificate for your server in just a few minutes:

Creating the Private Key:

openssl genrsa -out private.key 2048

The command above creates a 2048 bit private key that will be used during creation of the self signed SSL certificate. The private key will be stored in the file named “private.key”.

Generating the SSL cert:

openssl req -new -x509 -key private.key -sha256 -nodes -out private.crt -days 365 -subj '/' -extensions san -config <(echo '[req]'; echo 'distinguished_name=req'; echo '[san]'; echo '')

This next command is very long. You will need to copy the entire command and update the following values:

-days 365 indicates that the cert will be valid for 1 year but you can modify this to your liking (e.g. 720 for 2 years)

The command also has two references to You will need to replace with the FQDN of the website you are trying to create the certificate for. If you have multiple subjectAltName values, separate them with a comma.,

Verifying the certificate:

After running the command, a new file called private.crt shall be generated. If you wish to check the contents of the certificate file, you can use this command:

openssl x509 -in private.crt -text -noout

This will spit out the contents of the certificate file but the key sections to check for are:

Subject – Make sure the matches the URL for your website / server.
X509v3 extensions – Verify that you see a section called “Subject Alternative Name and that it lists the FQDN of the website/server.

Creating a PFX or P12:

At this point you now have a 2 files. The file private.key is the private keys for your certificate (private.crt). You can use this certificate as is. However, some applications / servers require that the cert to be installed as a PFX or P12 file. The majority of the applications that I work with expect P12.

The following command can be used to wrap the private.key and private.crt into a container that holds both the private key and the certificate:

openssl pkcs12 -export -in private.crt -inkey private.key -name 'ssl' -out private.p12

This command wraps the certificate and the private key into a P12 container. All of the attributes are fairly straight forward with the exception of the -name ‘ssl’ value. What this means is that within the P12, the certificate will be stored with an alias name of “ssl”. This value is arbitrary and you can use any label that you prefer.

Additionally, when running the command above, you will be prompted for a password. The password protects the contents of the P12 and will be required when attempting to install the SSL certificate via P12.

You are now ready to install the certificate or P12 into your web server or application. This is a simple and inexpensive way to generate self signed certificates for your testing or development environments.

Categorized as Tech