Once you have created a Certificate Signing Request (CSR), you can create a self-signed certificate from it. A self-signed certificate does not give the security guarantees provided by a certificate signed by a commercial CA. But it will allow you to provide a secure https connection to your web site. Clients will see a warning message stating that your site's identity cannot be verified and thus is not a “trusted site”. Clients have the option of accepting the certificate for the session and all subsequent https:// connections with the site will be secure.

Assuming you had generated your CSR and private key using the method shown above, you can create a self-signed certificate with the following openssl command:

  openssl req -x509 -days 365 -in hostcsr.pem -key hostkey.pem -out hostcert.pem

Here's and explanation of the command line options:

• -x509 - output a self-signed certificate rather than a CSR.
• -days 365 - make the self-signed certificate valid for one year.
• -in hostcsr.pem - read in the CSR from the file hostcsr.pem.
• -key hostkey.pem - read in the private key from the file hostkey.pem.
• -out hostcert.pem - write out the self-signed certificate to the file hostcert.pem.

View The Contents Of A Certificate Signing Request Once you have created a Certificate Signing Request (CSR), you can look at the contents of the file using a text editor. But you will only see a block of PEM-encoded text such as this:

    -----BEGIN CERTIFICATE REQUEST-----
    MIIBhzCB8QIBADBIMQswCQYDVQQGEwJVUzERMA8GA1UECBMISWxsaW5vaXMxDzAN
    BgNVBAcTBlVyYmFuYTEVMBMGA1UEAxMMVGVycnkgRmxldXJ5MIGfMA0GCSqGSIb3
    DQEBAQUAA4GNADCBiQKBgQCo/Dod/sGiCSvi+OV295f3eLMMzPKnNjQKabVpGP3x
    2bVHYuJTSz5Umq9DtsaBUMHVgwSCeCjfJAtaONERnJKg7yiyy3kdHgxYeqhoqDoJ
    kqZjoN+bOIZGlGs55ke5AqFYdeIaTAcgcxZMmeYZTdZ4n0cCvLHfcyTuKcGmtWsX
    +wIDAQABoAAwDQYJKoZIhvcNAQEFBQADgYEAVUelcfGlgus/OaTZgoePEmcvX4Lp
    8ofE4sELbM8sg9xiXyw6yQ3e2T3HsYrJnOUUJkgOnL7zwDr29IQ1dG+ScjXKfxgB
    vr2jnwdNbX20YgLyt8ht6NiUE7tQ33zDcSGoi+V2OxSWpbRHnOl6lGdRdh3A1LQj
    wpM7Z5VjngNVfWM=
    -----END CERTIFICATE REQUEST-----

If you want to see the actual entries for this file, you can view the contents as text. Here's is a typical openssl command and the resulting output:

  > openssl req -text -noout -in hostcsr.pem
  Certificate Request:
      Data:
          Version: 0 (0x0)
          Subject: C=US, ST=Illinois, L=Urbana, CN=Terry Fleury
          Subject Public Key Info:
              Public Key Algorithm: rsaEncryption
              RSA Public Key: (1024 bit)
                  Modulus (1024 bit):
                      00:a8:fc:3a:1d:fe:c1:a2:09:2b:e2:f8:e5:76:f7:
                      97:f7:78:b3:0c:cc:f2:a7:36:34:0a:69:b5:69:18:
                      fd:f1:d9:b5:47:62:e2:53:4b:3e:54:9a:af:43:b6:
                      c6:81:50:c1:d5:83:04:82:78:28:df:24:0b:5a:38:
                      d1:11:9c:92:a0:ef:28:b2:cb:79:1d:1e:0c:58:7a:
                      a8:68:a8:3a:09:92:a6:63:a0:df:9b:38:86:46:94:
                      6b:39:e6:47:b9:02:a1:58:75:e2:1a:4c:07:20:73:
                      16:4c:99:e6:19:4d:d6:78:9f:47:02:bc:b1:df:73:
                      24:ee:29:c1:a6:b5:6b:17:fb
                  Exponent: 65537 (0x10001)
          Attributes:
              a0:00
      Signature Algorithm: sha1WithRSAEncryption
          55:47:a5:71:f1:a5:82:eb:3f:39:a4:d9:82:87:8f:12:67:2f:
          5f:82:e9:f2:87:c4:e2:c1:0b:6c:cf:2c:83:dc:62:5f:2c:3a:
          c9:0d:de:d9:3d:c7:b1:8a:c9:9c:e5:14:26:48:0e:9c:be:f3:
          c0:3a:f6:f4:84:35:74:6f:92:72:35:ca:7f:18:01:be:bd:a3:
          9f:07:4d:6d:7d:b4:62:02:f2:b7:c8:6d:e8:d8:94:13:bb:50:
          df:7c:c3:71:21:a8:8b:e5:76:3b:14:96:a5:b4:47:9c:e9:7a:
          94:67:51:76:1d:c0:d4:b4:23:c2:93:3b:67:95:63:9e:03:55:
          7d:63
  >

Here's an explanation of the command line options:

• -text - view the contents of the CSR as plain text.
• -noout - do not output the PEM-encoded version of the CSR.
• -in hostcsr.pem - read in the CSR from the file hostcsr.pem.