Once you have created a Certificate Signing Request (CSR), you can create a self-signed certificate from it. A self-signed certificate does not give the security guarantees provided by a certificate signed by a commercial CA. But it will allow you to provide a secure https connection to your web site. Clients will see a warning message stating that your site's identity cannot be verified and thus is not a “trusted site”. Clients have the option of accepting the certificate for the session and all subsequent https connections with the site will be secure.
Assuming you had generated your CSR and private key using the method shown above, you can create a self-signed certificate with the following openssl command:
openssl req -x509 -days 365 -in hostcsr.pem -key hostkey.pem -out hostcert.pem
Here's and explanation of the command line options:
- -x509 - output a self-signed certificate rather than a CSR.
- -days 365 - make the self-signed certificate valid for one year.
- -in hostcsr.pem - read in the CSR from the file hostcsr.pem.
- -key hostkey.pem - read in the private key from the file hostkey.pem.
- -out hostcert.pem - write out the self-signed certificate to the file hostcert.pem.
View The Contents Of A Certificate Signing Request Once you have created a Certificate Signing Request (CSR), you can look at the contents of the file using a text editor. But you will only see a block of PEM-encoded text such as this:
-----BEGIN CERTIFICATE REQUEST-----
MIIBhzCB8QIBADBIMQswCQYDVQQGEwJVUzERMA8GA1UECBMISWxsaW5vaXMxDzAN
BgNVBAcTBlVyYmFuYTEVMBMGA1UEAxMMVGVycnkgRmxldXJ5MIGfMA0GCSqGSIb3
DQEBAQUAA4GNADCBiQKBgQCo/Dod/sGiCSvi+OV295f3eLMMzPKnNjQKabVpGP3x
2bVHYuJTSz5Umq9DtsaBUMHVgwSCeCjfJAtaONERnJKg7yiyy3kdHgxYeqhoqDoJ
kqZjoN+bOIZGlGs55ke5AqFYdeIaTAcgcxZMmeYZTdZ4n0cCvLHfcyTuKcGmtWsX
+wIDAQABoAAwDQYJKoZIhvcNAQEFBQADgYEAVUelcfGlgus/OaTZgoePEmcvX4Lp
8ofE4sELbM8sg9xiXyw6yQ3e2T3HsYrJnOUUJkgOnL7zwDr29IQ1dG+ScjXKfxgB
vr2jnwdNbX20YgLyt8ht6NiUE7tQ33zDcSGoi+V2OxSWpbRHnOl6lGdRdh3A1LQj
wpM7Z5VjngNVfWM=
-----END CERTIFICATE REQUEST-----
If you want to see the actual entries for this file, you can view the contents as text. Here's is a typical openssl command and the resulting output:
openssl req -text -noout -in hostcsr.pem
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=US, ST=Illinois, L=Urbana, CN=Terry Fleury
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:a8:fc:3a:1d:fe:c1:a2:09:2b:e2:f8:e5:76:f7:
97:f7:78:b3:0c:cc:f2:a7:36:34:0a:69:b5:69:18:
fd:f1:d9:b5:47:62:e2:53:4b:3e:54:9a:af:43:b6:
c6:81:50:c1:d5:83:04:82:78:28:df:24:0b:5a:38:
d1:11:9c:92:a0:ef:28:b2:cb:79:1d:1e:0c:58:7a:
a8:68:a8:3a:09:92:a6:63:a0:df:9b:38:86:46:94:
6b:39:e6:47:b9:02:a1:58:75:e2:1a:4c:07:20:73:
16:4c:99:e6:19:4d:d6:78:9f:47:02:bc:b1:df:73:
24:ee:29:c1:a6:b5:6b:17:fb
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha1WithRSAEncryption
55:47:a5:71:f1:a5:82:eb:3f:39:a4:d9:82:87:8f:12:67:2f:
5f:82:e9:f2:87:c4:e2:c1:0b:6c:cf:2c:83:dc:62:5f:2c:3a:
c9:0d:de:d9:3d:c7:b1:8a:c9:9c:e5:14:26:48:0e:9c:be:f3:
c0:3a:f6:f4:84:35:74:6f:92:72:35:ca:7f:18:01:be:bd:a3:
9f:07:4d:6d:7d:b4:62:02:f2:b7:c8:6d:e8:d8:94:13:bb:50:
df:7c:c3:71:21:a8:8b:e5:76:3b:14:96:a5:b4:47:9c:e9:7a:
94:67:51:76:1d:c0:d4:b4:23:c2:93:3b:67:95:63:9e:03:55:
7d:63
Here's an explanation of the command line options:
- -text - view the contents of the CSR as plain text.
- -noout - do not output the PEM-encoded version of the CSR.
- -in hostcsr.pem - read in the CSR from the file hostcsr.pem.