How to Create a Free SSL/TLS Certificate with OpenSSL on ubuntu/Linux
SSL/TLS certificates are used to encrypt data sent over internet communication. Without encryption, the received data could be vulnerable to being hacked by a man-in-the-middle attack. In public communication, you’ll need your certificate to be signed off by an approved Certificate Authority (CA), but in private communications, that isn’t necessary. If you don’t submit your public key for approval from any CA, web browsers will display warnings that the certificates aren’t trustworthy; however this has no impact on security measures at all. There are many tools available which allow you to create self-signed certificates easily. One of these tools is OpenSSL and it can be installed on Ubuntu servers without trouble at all – allowing users to generate their own SSL certificates very easily if they wish!
OpenSSL provides various functions to create, read, and verify certificates, certificate requests, and revocation lists. These can be used to create your own Certificate Authority (CA) or just to create a single certificate that you can use on your web server to secure communications with clients using SSL/TLS (HTTPS). If you’re in the market for an SSL/TLS certificate from a trusted Certificate Authority, see this list of Free SSL Certificates. Otherwise, you can create your own free certificate with OpenSSL by following the steps below.
Generating Free SSL Certificate with OpenSSL
OpenSSL is a free tool that can be used to generate self-signed SSL/TLS certificates. OpenSSL typically comes preinstalled in Linux systems, so if you have Ubuntu Server or any other Linux installation, creating a free SSL certificate using OpenSSL will require little effort. To check whether your operating system has OpenSSL preinstalled, open up the terminal and enter the below command.
openssl version -aIf you have OpenSSL installed, then this command will show the version of your install like below.
OpenSSL 1.1.1f 31 Mar 2020
built on: Wed Mar 9 12:12:45 2022 UTC
platform: debian-amd64
options: bn(64,64) rc4(16x,int) des(int) blowfish(ptr)
compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -Wa,--noexecstack -g -O2 -fdebug-prefix-map=/build/openssl-2iuOVN/openssl-1.1.1f=. -fstack-protector-strong -Wformat -Werror=format-security -DOPENSSL_TLS_SECURITY_LEVEL=2 -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DNDEBUG -Wdate-time -D_FORTIFY_SOURCE=2
OPENSSLDIR: "/usr/lib/ssl"
ENGINESDIR: "/usr/lib/x86_64-linux-gnu/engines-1.1"
Seeding source: os-specificnow, you can execute the Openssl command needed to create an SSL/TLS certificate for free. To begin, we will create a password key file that can generate private keys. To do this, you should execute the following command
openssl genrsa -des3 -passout pass:xnet@123 -out system.pass.key 2048This command will create a password key file called system.pass.key. It is simple enough to call the file ‘system’ for simplicity, but feel free to use any name of your choosing. If you run ls, then you’ll see that there’s now a new file in your working directory.
We will now create a private key file with OpenSSL. To do this, we need to run the following command
openssl rsa -passin pass:xnet@123 -in system.pass.key -out system.keyThis command will generate a private key file called system.key which needs to be securely stored if it falls into the wrong hands – as someone who has access to this key can decrypt your encrypted data.
Now you’ll find two files in your working directory. One is a key file that contains the password and one contains the private key information. You won’t need to use the password file again so we’re going to delete it with this command
rm system.pass.keyIn order to generate public key files, we need CSR (Certificate Signing Request) files. Run this OpenSSL command to generate the CSR file.
openssl req -new -key system.key -out system.csrThis command will ask for some information about your SSL certificate like the below example. Enter the appropriate information when it appears.
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:IT
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Letsknowtech
Organizational Unit Name (eg, section) []:pet accessories
Common Name (e.g. server FQDN or YOUR name) []:paolotot
Email Address []:info@letsknowtech.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:letsknowtech
root@cyberpanel231onubuntu2004-s-4vcpu-8gb-fra1-01:~# openssl x509 -req -days 365 -in system.csr -signkey system.key -out system.crt
Signature ok
subject=C = IT, O = letsknowtech, OU = pet accessories, CN = paolotot, emailAddress = info@letsknowtech.com
Getting Private keyNow, we will use OpenSSL to create our public key certificate file. To do this, enter the following command.
openssl x509 -req -days 365 -in system.csr -signkey system.key -out system.crtThe above command will generate a public key certificate with 365 days of validity. However, if you would prefer it to be valid for longer than one year, please amend the amount of time in this command. In your current directory, you will now find three files – system.key and system.crt being the private and public keys respectively. Run the ls command to confirm.
root@cyberpanel2311:~# ls
snap system.crt system.csr system.keyThese OpenSSL generated files are now available for you to use on your webserver, email server or any other application requiring an SSL/TLS certificate. You can view inside of the generated files using less or echo commands.
In this article, we explored how to use the OpenSSL tool to create a free SSL certificate. Now you can protect your website against attackers by setting up HTTPS on it! If you’re confused at any point during the process, just let me know in the comment section I’ll do my best to help out.
Rishad is a software engineer with a passion for web development. He has been working as a freelancer for the past 3 years, helping businesses and individuals create professional and functional websites. He is an undergraduate student of BSC in Software Engineering (Kingston UK). Rishad’s expertise lies in JavaScript/PHP/Wordpress/React/Django/Python, and he is constantly learning and updating his skills to stay on top of the latest trends and best practices in web development.
