Linux Commands

How to Create a Self-Assigned SSL Certificate on the Linux Command Line

The SSL (Secure Sockets Layer) protocol authenticates and encrypts the data over a network between a client and a server. An SSL certificate similarly creates an encrypted bridge between a website and a browser. According to its name, this certificate is signed by the person who makes it.

SSL certificates have the same encryption level as trusted CA-signed SSL certificates. Using openssl, you can generate a self-signed SSL certificate in the Linux command line with just a few steps. This guide looks at creating a self-signed SSL certificate on Linux.

How to Create a Self-Signed SSL Certificate on the Linux Command Line

Generating your certificate on the Linux command line and signing it using the private key is easy. Here, we can create our SSL certificate by following a few steps using the terminal.

Install the OpenSSL on Linux

OpenSSL is an open-source command-line tool that allows you to perform various tasks related to SSL. This tool is also required to generate the self-signed SSL certificates, which you can easily install with the help of Linux repositories. You can install it through the following commands:

sudo apt update

sudo apt install openssl -y (for Debian-based distros)

sudo pacman -Sy openssl (for Arch Linux)

sudo dnf install openssl (for RPM-based distros)

Create a Self-Signed Certificate

After successfully installing the OpenSSL, you can generate an SSL certificate using just one command. OpenSSL creates the certificate and associated encryption key in the current directory. Hence, please open the specific directory where you want to create the key or certificate. Here, we create a self-signed SSL certificate named “sample” using the following command:

sudo openssl req -newkey rsa:4096 -x509 -sha256 -days 365 -nodes -out sample.crt -keyout sample.key

Let’s try to understand the previous command better by breaking it:

The system asks you with questions which are related to that organization to process the intended certificate.

Note: You can use any value other than the common name field to use the certificate for testing or personal development. Moreover, you need to enter the website’s domain that installed the certificate.

Bonus Tip: If you want your private key to be encrypted, remove the -nodes option from the previous command.

Read the Content of the Self-Signed SSL Certificate

You can check the location of the newly created certificates and private keys through the ls command. Since we created a file named “sample”, we should find that file and its private key under the directory.

The created certificate is PEM-formatted. Run the following command in a terminal to read its contents:

sudo openssl x509 -noout -in certificate.pem -text

We included the following in the previous command:

-noout Escapes the encoded version of the certificate.
-in Specifies the file containing the certificate.
-text Prints the certificate output in text form.

Conversely, use the -x509 command with the -pubkey option to extract the public key from the certificate. Hence, the certificate prints the public key in PEM format.

sudo openssl x509 -pubkey -noout -in certificate.pem

Generate the Self-Signed SSL Certificate with No Prompt

If you don’t want to be prompted to answer any questions when generating a self-signed SSL certificate, you can specify all subject information using the -subj option as follows:

openssl req -newkey rsa:4096 -x509 -sha256 -days 3650 -nodes -out example.crt -keyout -subj "/C=SI/ST=Ljubljana/L=Ljubljana/O=Security/OU=IT Department/"

The list of fields that is specified under -subj is listed in the following:


A self-signed SSL certificate enables a secure connection for the web browser. This certificate acts like a certificate that is created by a trusted authority. For this reason, the SSL certificates are commonly used for home or company intranets for applications such as testing and development purposes.

This guide has everything you need to know to create a self-signed SSL certificate on the Linux command line through the openssl tool. For this, you need to provide the details about the certificate such as determining its validity, the key size, etc.

About the author

Prateek Jangid

A passionate Linux user for personal and professional reasons, always exploring what is new in the world of Linux and sharing with my readers.