How to Create Self Signed Certificates on Ubuntu Linux

This post shows students and new users steps to generate or create self-signed SSL/TLS certificates on Ubuntu to use with Nginx or Apache web servers locally. A self-signed SSL certificate is a certificate signed by the creator rather than a trusted third party certificate authority (CA). Self-signed certificates can have the same level of encryption as the trusted CA signed SSL certificates.

Web browsers do not see self signed certificates as valid. That’s why when you browse to a host using self signed certificates with any web browser, you’ll prompted with a warning that the certificate can not be trusted.

Most self signed certificates are specifically created to use internally or in a development environment. Websites or applications on the public internet do not use self-signed certificates because it can’t be trusted by major web browsers.

If you’re a student or new user learning Linux, the easiest place to start learning is on Ubuntu Linux. Ubuntu is the modern, open source Linux operating system for desktop, servers and other devices.

To get started with creating self-signed certificates on Ubuntu Linux, follow the steps below.

How to create self-signed certificates on Ubuntu Linux

To generate a SSL/TLS certificate on Ubuntu, the OpenSSL toolkit is required. This tool is usually installed on Ubuntu Linux by default. If not, run the commands below to install it on Ubuntu.

sudo apt update
sudo apt install openssl

To create a new Self-Signed SSL Certificate, use the openssl req command. Below is the command to generate a SSL/TLS certificate for the domain.

openssl req -newkey rsa:4096 -x509 -sha256 -days 365 -nodes -out example.crt -keyout example.key

The command details are as followed:

  • -newkey rsa:2048 – creates a new certificate request and 2048 bit RSA key.
  • -x509 – creates a X.509 certificate.
  • -sha256 – use 265-bit SHA (Secure Hash Algorithm) to create the certificate
  • -days 365 – the number of days to certify the certificate for. Typically a year or more
  • -nodes – creates a key without a passphrase.
  • -out example.crt – specifies the filename to write the newly created certificate to
  • -keyout example.key – specifies the filename to write the private key to.

Once you press ENTER, the command will generate a private key and prompt you with series of questions to use to generate the certificate.

Generating a RSA private key
writing new private key to 'example.key'

You’ll provide these answers similar to the ones below. Replace details with your own that represent the certificate you’re generating.

Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:New York
Locality Name (eg, city) []:New York
Organization Name (eg, company) [Internet Widgits Pty Ltd]:EXAMPLE, Inc.
Organizational Unit Name (eg, section) []:Publishing
Common Name (e.g. server FQDN or YOUR name) []
Email Address []:[email protected]

After that, two files (example.crt and example.key) will be created in the directory you ran the command. Use these file in your Nginx or Apache setup to enable HTTPS connections.

That should do it.


This post showed you how to create self-signed SSL/TLS certificates on Ubuntu Linux. If you find any error above or have something to add, please use the comment form below.