Generate Self Signed Certificate

Last Updated On Wednesday 6th Oct 2021

Create Self Signed Certificate

  • OpenSSL Create Self Signed Certificate.
  • OpenSSL is a software library for applications that secure communications over computer networks against eavesdropping or need to identify the party at the other end.
  • It’s easy to create a self-signed certificate.
  • You just use the openssl req command.
  • It can be tricky to create one that can be consumed by the largest selection of clients, like browsers and command line tools.
  • Use the following command to generate a self-signed certificate and enter a passphrase when prompted.

OpenSSL Self Signed Certificate

Generate a private key

  • A private key helps to enable encryption and is the most important component of our certificate.

Use the following command to generate a private key with ECDSA

	openssl ecparam -genkey -name prime256v1 | openssl ec -out private.key
	

A response similar to this one should be displayed

	read EC key
writing EC key
	

Generate SSL Certificate

Alternatively, use the following command to generate a private ECDSA key protected by a password.

	openssl ecparam -genkey -name prime256v1 | openssl ec -aes256 -out private.key -passout pass:PASSWORD
	

Use the following command to generate a private key with RSA

	openssl genrsa -out private.key 2048
	

A response similar to this one should be displayed

	Generating RSA private key, 2048 bit long modulus
............................................+++
...........+++
e is 65537 (0x10001)
	

Alternatively, use the following command to generate a private RSA key protected by a password

	openssl genrsa -aes256 -out private.key 2048 -passout pass:PASSWORD
	

When using a password-protected private key, the password must be provided through the environment variable MINIO_CERT_PASSWD using the following command.

	export MINIO_CERT_PASSWD=<PASSWORD>
	
  • The default OpenSSL format for private encrypted keys is PKCS-8, but MinIO only supports PKCS-1.
  • An RSA key that has been formatted with PKCS-8 can be converted to PKCS-1 using the following command.
	openssl rsa -in private-pkcs8-key.key -aes256 -passout pass:PASSWORD -out private.key
	

OpenSSL Generate Self Signed Certificate

If we want our certificate signed, we need a certificate signing request (CSR)

	openssl req -key domain.key -new -out domain.csr
	

We can also create both the private key and CSR with a single command.

	openssl req -new -x509 -days 3650 -key private.key -out public.crt -subj "/C=US/ST=state/L=location/O=organization/CN=<domain.com>"
	

Note: Replace <domain.com> with the development domain name.

  • Alternatively, use the command below to generate a self-signed wildcard certificate that is valid for all subdomains under <domain.com>.
  • Wildcard certificates are useful for deploying distributed MinIO instances, where each instance runs on a subdomain under a single parent domain.
	openssl req -new -x509 -days 3650 -key private.key -out public.crt -subj "/C=US/ST=state/L=location/O=organization/CN=<*.domain.com>"