OpenSSL 3.0.2
Ubuntu 22.04 LTS (jammy)

OpenSSL is a useful command line tool for tasks related to PKI activities. In this tutorial I will show you how to generate a self-signed certificate so that you can use it for your lab, test or demo environment using RSA key. This will provide you a very basic understanding of the steps required to generate a self-signed certificate. You can use the CSR to request for a commercial certificate as well, you just need to take note what are the required fields / information that you need to provide to generate the type of commercial certificate that you need.

You can read more about OpenSSL at the official OpenSSL website.

Basic components to understand for this tutorial are as follow:

  1. Certificate Signing Request (CSR) optional for self-signed certificate for a single web server.
  2. Private Key
  3. SSL Certificate.

Certificate Signing Request (CSR) as its name suggest is a public key from a key pair and information predominately about your organization such as FQDN, DN and etc, that you use to request for a certificate. You do not really need a CSR if all you want is a self-signed certificate for a test server and you are not going to reuse the CSR to generate a new certificate. However if you are going to request a certificate from a private Certificate Authority or or requesting for a Commercial Certificate then a CSR is needed to achieve that.

  1. To generate the CSR you will need OpenSSL. in most new Ubuntu Distribution you should have OpenSSL installed. Having a CSR means you do not need to key in all the information again when you want to generate a new certificate when it expired.

openssl req \
-newkey rsa:2048 \
-nodes -keyout <domain.key> \
-out <domain.csr

  1. For self-signed certificate the private key is a key component to it. You can use the private key to generate a new certificate without the CSR. You will need to key in all the necessary information for the first time.
    1. By issuing the command below you will get the private key <domain.key>
    2. The certificate <domain.crt>

openssl req \
-newkey rsa:2048 \
-nodes -keyout <domain.key> \
-x509 -days 365 -out <domain.crt>

The above command will generate a X.509 certificate encoded in ASCII PEM format.

I am going to show you how you can use the certificate that you have just generated in a simple Python HTTP Server with SSL.