You can do that in one command:
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365
You can also add
-nodes (short for
no DES) if you don't want to protect your private key with a passphrase. Otherwise it will prompt you for "at least a 4 character" password.
days parameter (365) you can replace with any number to affect the expiration date. It will then prompt you for things like "Country Name", but you can just hit Enter and accept the defaults.
-subj '/CN=localhost' to suppress questions about the contents of the certificate (replace
localhost with your desired domain).
Self-signed certificates are not validated with any third party unless you import them to the browsers previously. If you need more security, you should use a certificate signed by a certificate authority (CA).
As of 2021 with OpenSSL ≥ 1.1.1, the following command serves all your needs, including SAN:
openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes \ -keyout example.key -out example.crt -subj "/CN=example.com" \ -addext "subjectAltName=DNS:example.com,DNS:www.example.net,IP:10.0.0.1"
On old systems with OpenSSL ≤ 1.1.0, such as Debian ≤ 9 or CentOS ≤ 7, a longer version of this command needs to be used:
openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes \ -keyout example.key -out example.crt -extensions san -config \ <(echo "[req]"; echo distinguished_name=req; echo "[san]"; echo subjectAltName=DNS:example.com,DNS:www.example.net,IP:10.0.0.1 ) \ -subj "/CN=example.com"
Either command creates a certificate that is
- valid for the (sub)domains
- also valid for the IP address
- relatively strong (as of 2021) and
- valid for
3650days (~10 years).
The following files are generated:
- Private key:
All information is provided at the command line. There is no interactive input that annoys you. There are no config files you have to mess around with. All necessary steps are executed by a single OpenSSL invocation: from private key generation up to the self-signed certificate.
Remark #1: Crypto parameters
Since the certificate is self-signed and needs to be accepted by users manually, it doesn't make sense to use a short expiration or weak cryptography.
In the future, you might want to use more than
4096 bits for the RSA key and a hash algorithm stronger than
sha256, but as of 2021 these are sane values. They are sufficiently strong while being supported by all modern browsers.
Remark #2: Parameter "
Theoretically you could leave out the
-nodes parameter (which means "no DES encryption"), in which case
example.key would be encrypted with a password. However, this is almost never useful for a server installation, because you would either have to store the password on the server as well, or you'd have to enter it manually on each reboot.
Remark #3: See also
参照着修改openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes -keyout edenreduk.net.key -out edenreduk.net.crt -subj "/CN=edenreduk.net" -addext "subjectAltName=DNS:edenreduk.net"
在git bash中执行报错， https://github.com/openssl/openssl/issues/8795
在命令前面加上参数MSYS_NO_PATHCONV=1 openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes -keyout edenreduk.net.key -out edenreduk.net.crt -subj "/CN=edenreduk.net" -addext "subjectAltName=DNS:edenreduk.net"
this option outputs a self signed certificate instead of a certificate request. This is typically used to generate a test certificate or a self signed root CA. The extensions added to the certificate (if any) are specified in the configuration file. Unless specified using the set_serial option, a large random number will be used for the serial number.
If existing request is specified with the -in option, it is converted to the self signed certificate otherwise new request is created.
this option creates a new certificate request and a new private key. The argument takes one of several forms. rsa:nbits, where nbits is the number of bits, generates an RSA key nbits in size. If nbits is omitted, i.e. -newkey rsa specified, the default key size, specified in the configuration file is used.
All other algorithms support the -newkey alg:file form, where file may be an algorithm parameter file, created by the genpkey -genparam command or and X.509 certificate for a key with appropriate algorithm.
param:file generates a key using the parameter file or certificate file, the algorithm is determined by the parameters. algname:file use algorithm algname and parameter file file: the two algorithms must match or an error occurs. algname just uses algorithm algname, and parameters, if necessary should be specified via -pkeyopt parameter.
dsa:filename generates a DSA key using the parameters in the file filename. ec:filename generates EC key (usable both with ECDSA or ECDH algorithms), gost2001:filename generates GOST R 34.10-2001 key (requires ccgost engine configured in the configuration file). If just gost2001 is specified a parameter set should be specified by -pkeyopt paramset:X
this gives the filename to write the newly created private key to. If this option is not specified then the filename present in the configuration file is used.
This specifies the output filename to write to or standard output by default.
when the -x509 option is being used this specifies the number of days to certify the certificate for. The default is 30 days.
This specifies the message digest to sign the request. Any digest supported by the OpenSSL dgst command can be used. This overrides the digest algorithm specified in the configuration file.
Some public key algorithms may override this choice. For instance, DSA signatures always use SHA1, GOST R 34.10 signatures always use GOST R 34.11-94 (-md_gost94), Ed25519 and Ed448 never use any digest.
If this option is specified then if a private key is created it will not be encrypted.
Sets subject name for new request or supersedes the subject name when processing a request. The arg must be formatted as /type0=value0/type1=value1/type2=.... Keyword characters may be escaped by \ (backslash), and whitespace is retained. Empty values are permitted, but the corresponding type will not be included in the request.
Add a specific extension to the certificate (if the -x509 option is present) or certificate request. The argument must have the form of a key=value pair as it would appear in a config file.
This option can be given multiple times.