Coding Geekery Linux

Generate a Self-Signed SSL Certificate in 2 Easy Steps

Ever wanted to generate your own domain’s SSL certificate?
Let me first put it out there: It’s a bad idea if you intend to make your domain publicly available.
Ahh, the air’s more breathable now that the elephant’s out of the room!

You’re still here? Good. Let’s proceed!

Let’s say you do need a self-signed SSL certificate for one of your domains, and you don’t feel like typing more than two commands. You’re in luck!
First and foremost, find a cosy (and preferably organized) place for your certificates to live. I personally like to stick them in /data/ssl/certs/[domain]/[subdomain]/, but to each their own.

Command #1:
openssl req -new -nodes -keyout domain.key -out domain.csr
This command generates both a domain server key and a certficate signing request, which you’ll need to generate your crt file in command #2.
It will ask you a bunch of questions. The important one is the “Common Name”, as it is the one that needs to match your domain.
For example, I setup a certificate for, so I set the common name to “” hmmkay?

Command #2:
openssl x509 -req -days 365 -in domain.csr -signkey domain.key -out domain.crt
There you have it, your domain certificate will be valid for a year!

As a bonus, here’s how I setup nginx to redirect all https traffic to http, using my shiny new self-signed SSL cert:

In nginx.conf

server {
listen *:443;
ssl on;
rewrite ^(.*)$1 permanent;

ssl_certificate /data/ssl/certs/quotir/www/quotir.crt;
ssl_certificate_key /data/ssl/certs/quotir/www/quotir.key;

Happy Sysadmining friends and don’t be shy, say hello!

By jonaphin

Sr. Software Engineer / Project Lead at Adobe Systems, Inc.