If you know that you only want a self-signed certificate (not one signed by a Certificate Authority (CA)), you can generate a self-signed certficate without first having to generate a Certificate Signing Request (CSR).
A self-signed certificate does not give the security guarantees provided by a certificate signed by a commercial CA. But it will allow you to provide a secure https connection to your web site. Clients will see a warning message stating that your site's identity cannot be verified and thus is not a “trusted site”.
Clients have the option of accepting the certificate for the session and all subsequent https connections with the site will be secure.Here is a typical openssl command and the resulting interactive session when generating a self-signed certificate:
openssl req -x509 -days 365 -newkey rsa:1024 -keyout hostkey.pem -nodes -out hostcert.pem Generating a 1024 bit RSA private key ........++++++ ........++++++ writing new private key to 'hostkey.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank. For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Illinois Locality Name (eg, city) :Urbana Organization Name (eg, company) [Internet Widgits Pty Ltd]:NCSA Organizational Unit Name (eg, section) :Security Research Division Common Name (eg, YOUR name) :www.ncsa.uiuc.edu Email Address :firstname.lastname@example.org
First, an explanation of the command line options:
If you had previously generated a private RSA key (by using the “openssl genrsa” command, for example) and would like to use it rather than generating a new key, you can use the -key FILENAME option to read in your extisting key. Also, you can change the length of the key if you want. The minimum should be 512. Many people like to use 2048 for a more secure key.
Next, an explanation of the interactive session.
At each prompt, you will see brackets ([ ]) which may or may not contain text. That text is the default option for that prompt. If you simply hit the <ENTER> key at this point without typing any text, the text in the brackets will be used. If there is text in the brackets that you DON'T want (i.e. you want to erase the text for that prompt), type a period (.) and then hit <ENTER>. Note that you cannot have all fields be empty.
Note: Since you are creating a self-signed certificate for use by a web server, at the prompt “Common Name (eg, YOUR name) :”, enter the fully qualified domain name (FQDN) of your web server. This will prevent a “domain name mismatch” error box from appearing when clients connect to your web site.