Generate a self-signed SSL certificate

howto found on

Create key

 openssl genrsa -des3 -rand file1:file2:file3:file4:file5 -out server.key 1024

file1:file2:etc are .gz file which are used for entropy.

Create key without passphrase

 openssl rsa -in server.key -out server.pem

Usefull to start Apache without a password. Keep this file secret.

Generate signing request

 openssl req -new -key server.key -out server.csr

Questions are then asked interactively. The most important is "Common Name (eg, YOUR name)", it must match your server's name, ie


 openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt

Do not hesitate to put a huge expiry delay (-days), experience shows "official" sining can be longer than expected, and there's no harm in having self-signed stuff lasting forever, as long as you accept it's self-signed.

What's usefull for Apache?

The key (.pem) and the certificate (.crt).

Page generated by UWiKiCMS 1.1.8 on Fri May 26 2017.
Copyright © 2009 Christian Mauduit. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts.
Updated on Tue Oct 06 2009.