SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are security protocols used to secure web traffic between the web server and the client’s web browser. Generally, they are used to protect confidential data such as credit card data, login credentials, and other private information. Unlike other types of SSL certificates, a self-signed SSL certificate is a certificate signed by an individual who owns it. Typically, self-signed SSL certificates are totally free and are used for testing purposes on the locally hosted web server.

In this post, we will show you how to generate a self-signed SSL certificate in Rocky Linux 8.

Install OpenSSL

Before starting, the OpenSSL toolkit must be installed on your server or desktop to generate a self-signed certificate.

If not installed, you can install it by running the following command:

dnf install openssl -y

Once installed, verify the OpenSSL version with the following command.

rpm -qa openssl

You will get the following output:

openssl-1.1.1k-5.el8_5.x86_64

Also Read

How to Secure LEMP Server with Let’s Encrypt Free SSL on Ubuntu 18.04 VPS

Generate a Private Key

First, you will need to create a private key to enable encryption.

Let’s create a password protected 2048-bit RSA private key using the following command:

openssl genrsa -des3 -out private.key 2048

You will be asked to provide a password as shown below:

Generating RSA private key, 2048 bit long modulus (2 primes)
...........................................................+++++
..+++++
e is 65537 (0x010001)
Enter pass phrase for private.key:
Verifying - Enter pass phrase for private.key:

You can see the content of the private key using the following command:

cat private.key

You should see the following output:

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,E0C0E24222815CE0

ZWzirTOp+UGRSc44dbm0iW5R0gCXxd3C2LwwGbTKaSRxB5sQUurFvFP5ilCuywoR
lNvz3Bd9vCPFnR8pVw355FLpc9qxLsxjweXXUaDjDg+W3s21hQqaWXOQLXjKvA2c
W3cC9eMApgo8l1mG+a3fFIj/UAFElhmMLSnqdK2tH/gjpDbZUtaZcywqB7UW20tU
uCyJN0T/rSHPCQ1w/7LvnK1e0cAn0ZEOHzdsdcbjYeBuRfv/oSHQAsSkmFxTZQCq
p02gAiexddciXiTlDTp24Tr7Fp4BMkBktE2BX95ZjXY8dbidBSrnZki8RbxZwNeq
Lr/cracFZ4h+sxac3/Pn25DcZEVyJKTmybypuNea63tsJrU0eHs7rfYqXcnyfhRg
PrlPSWUPFwx3yuRkgZfo1OXcR1vuhKpvIOOm3awa3WyXb5t9PNwv/FeT2Ta1guTj
NksxFEVCP8ven2VxLWD1ESf/oUE9jYmWDXxIU+xrgrVW5Bklv6A/EewR8T/oZsYB
ap/SgHbW2/KzXYWEoB4fcVdzonTwZNutDFw2p1dzNVz792IwPCFsrE6BnNkoyyXE
DQJAVE99fKgXY9f4L9qZru3yYNd3lP1g+2PzkX1u/QN2Ggr0YiPEJdixWh7QxwC8
ANALCCKUSJTm02YewhJHE+eU/UIfa1GQGaEJ+Pwxx6CjJCzfU571SuZBDpmz07Cu
FBlx1Qzzmn2SWbFiIlLCS84pEOsByw26p+NhHzKZAhKHHq4DKrNCnDEWOU95GbSn
I0QIIdTuY+X2sKj9a26nkjs8kWb3GfDAf/3pNXynRapxepRtceSfKTWOsEDIGGLA
pgnuBIT6NaZ7zIe7KeZpnzbK6dJsltji9uI9+zebNjoq6CND+TTprpPqATVSj+E9
8xS2BQSX5se6t47ierbP3Rx1LP95tayoYI9bPUHPaTSzrx2R43SZSa0r9JVq9gLl
MRdXhd+qUh2eNbDSWk0F3DiKbhbi/B3WwQA9l7eq/OYgDPo2TxXoyDWJlmJ+LllF
iVA9sUI21+aJE4I+5BXQDz/dyLatuis+vAIpYCRSRcnsK7Y8ALe27NyViKO7ir7F
gu+BGkcfAvZg2d/9G0IV+syRblW7OGvwphk+oy2Us0ggAh8BvoIp3ra9t62eOHCg
rl784OEAW8w94WFzmCvmCLPzmXDUkwLIo06WmYzWhrEHhivzOc9W3WiJ9jlzBmR2
V9mWsNErytPUiEBhRm9c9i9ggrehN9PsYjEuOM3KYCbqneMXe4yH7wYlxJ70r3A0
0/cBxMyG/tlzgDqyhHV8tYEMFL9B3lqTsTWP/bfc2baTd4sstLrVESE+0f0BpeoI
t6zKCOUe9tq4RBI+9selgPECwPhttJw4IKMuH9s7XAjaOiqP7TE8M79/VsgttGoJ
/mxXWA8uVwEqonFx6CrAe1oOnuDObP5uC5ikPf3GnBDk2wf8pt0VteIJVCd6Pamy
6Hlb/eg9VtzQHpJBXOthjKGE1CGBw3rv/Q9eNaS8QhDUFQ09EkW6TBJVCI86QPX9
4tWhsj7DLHXN1Mt55unMjcb+tez+QXI7EgBySxBfycV2zbQ7odV6WZHEUCuZbJzV
-----END RSA PRIVATE KEY-----

Generate a Certificate Signing Request

Next, you will need a certificate signing request (CSR) if you want your certificate signed. CSR includes information about the public key, country, and organization.

You can create a CSR named server.csr using your private key as shown below:

openssl req -key private.key -new -out server.csr

You will be asked to provide your private key password and some CSR information to complete the process as shown below:

Enter pass phrase for private.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:GUJ
Locality Name (eg, city) [Default City]:AHMEDABAD
Organization Name (eg, company) [Default Company Ltd]:Atlantic
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:server
Email Address []:[email protected]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Also Read

How to Change or Set User Password in Linux

Generate a Self-Signed Certificate

A self-signed certificate is a certificate that is signed by its own private key. It is used to encrypt data.

You can create a self-signed certificate named server.crt using the private key and CSR, as shown below:

openssl x509 -signkey private.key -in server.csr -req -days 365 -out server.crt

You should see the following output:

Signature ok
subject=C = IN, ST = GUJ, L = AHMEDABAD, O = Atlantic, OU = IT, CN = server, emailAddress = [email protected]
Getting Private key
Enter pass phrase for private.key:

Note: The -days option specifies the number of days that the certificate will be valid.

You can now use the OpenSSL command to view the contents of your certificate in plain text:

openssl x509 -text -noout -in server.crt

You should see the certificate information in the following output:

Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            6f:bd:1d:8d:be:52:8e:9b:ba:74:29:0c:e7:15:2b:01:42:5c:66:8d
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = IN, ST = GUJ, L = AHMEDABAD, O = Atlantic, OU = IT, CN = server, emailAddress = [email protected]
        Validity
            Not Before: Mar 15 11:42:36 2022 GMT
            Not After : Mar 15 11:42:36 2023 GMT
        Subject: C = IN, ST = GUJ, L = AHMEDABAD, O = Atlantic, OU = IT, CN = server, emailAddress = [email protected]
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:b1:d0:e3:36:46:64:4c:70:b6:24:bf:f7:5f:9a:
                    8a:5c:bd:89:b8:f0:b8:56:51:e5:f6:e5:ed:d1:6c:
                    cc:89:7a:97:c3:15:89:98:9a:df:74:e1:a1:2e:da:
                    12:7c:a2:64:d6:62:1b:55:85:94:dc:5c:10:89:63:
                    de:bd:f7:e2:56:68:7a:3c:48:88:7a:fd:d5:df:12:
                    8e:28:28:d6:77:5b:2d:51:53:84:f9:c3:d2:a7:db:
                    6f:2d:88:00:e0:b1:93:f8:a4:66:df:03:17:c4:5a:
                    9c:49:37:86:bf:34:c0:83:94:1f:aa:1b:a4:55:09:
                    b3:75:b1:68:de:5c:1a:75:12:fb:65:4a:31:c9:f3:
                    34:93:b5:eb:1b:93:01:77:e2:ba:27:7c:62:9c:65:
                    e7:49:37:1d:97:40:44:c0:f8:38:54:52:8c:69:3d:
                    b5:d6:d5:90:16:45:83:a4:16:49:5e:cc:8d:da:dd:
                    1a:22:0d:26:f6:ef:b0:b4:8c:5b:8c:b4:bf:7d:cc:
                    48:98:a6:db:7d:78:cc:3d:5e:66:69:ca:c5:74:95:
                    e3:21:84:6c:e1:87:b1:08:b4:26:24:84:3f:75:7b:
                    fb:ee:36:4d:90:91:82:8d:35:ea:15:8e:95:6f:7c:
                    e8:7b:71:ff:aa:d0:bb:46:b2:35:30:14:03:ba:ac:
                    05:8b
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha256WithRSAEncryption
         64:d1:11:03:64:89:12:29:e8:e8:a5:7c:03:5b:c3:f8:61:56:
         e2:d3:f5:4c:79:4b:e6:19:84:c8:5a:69:57:50:a0:78:0c:57:
         aa:5a:17:88:54:8c:3d:61:1c:f0:30:e6:41:31:e6:52:5c:d2:
         84:f2:dd:da:a2:f4:42:7b:a0:c3:c7:80:3a:32:ab:10:15:c7:
         f5:e1:7d:7f:68:1a:89:35:c8:71:10:c0:03:5b:d7:ce:60:d9:
         55:e7:44:15:e2:e4:7e:db:65:5b:34:1b:fe:2b:1f:c7:b1:e5:
         2a:e7:28:05:1b:02:81:92:8b:b7:3e:28:78:20:68:e4:68:ac:
         e5:a2:21:e8:31:de:59:64:9b:c8:6a:16:9a:43:9c:52:0a:cf:
         2d:c2:91:bf:9b:49:64:37:a7:00:60:28:e9:38:ae:35:d3:c6:
         b6:6e:fc:f3:81:cc:a2:f4:2e:50:80:d8:27:cf:f1:3d:4d:19:
         e9:a1:c8:61:8f:b6:28:c5:93:93:75:94:c3:f3:6b:d2:48:8f:
         8b:3e:53:56:76:ab:fc:a9:9c:be:17:59:b4:db:c5:9c:96:6d:
         49:3e:98:5a:d3:c8:03:2e:03:47:2c:1b:84:ee:b0:2f:ae:43:
         e9:49:42:4f:79:01:04:99:4a:8a:78:27:f8:f9:61:8d:73:47:
         49:75:58:d3

Conclusion

In this post, we explained how to generate a self-signed SSL certificate using the OpenSSL utility. You can now configure Apache or Nginx webserver to use it and secure the communication between the web server and client. Try it on dedicated server hosting from Atlantic.Net!