How many people have wanted to make an SSL certificate for one reason or another and didn’t want to pay the outrageous fees to someone to get a legittimate one, afterall if it’s just encryption you want why pay when openssl makes them free for you? Here’s how…

Ok, so most unixes have openssl available or installed on them by default, make sure:

machine: ~> which openssl
/usr/bin/openssl

yay! we have openssl… Now, there are 2 critical parts to this, and one thing to keep in mind:

  1. Making a CERTIFICATE requires that make a KEY to open the CERTIFICATE
  2. KEYS normally need ‘passwords’ or ‘passphrases’

So, to make a key you do: (make a 1024-bit key, save it to sample.key)

neo-u2:/tmp> openssl genrsa -out sample.key 1024
Generating RSA private key, 1024 bit long modulus
..................++++++
...................++++++
e is 65537 (0x10001)
neo-u2:/tmp> 

Of course you’ll want to protect that key, do so chmod 400 that sucker:

chmod 400 sample.key

You can view the key as text: (show as text the rsa key in file sample.key)

neo-u2:/tmp> openssl rsa -text -in sample.key 
Private-Key: (1024 bit)
modulus:
    00:ad:7a:80:db:e6:3c:e9:71:2b:f5:30:ab:f3:08:
    24:c6:03:80:68:d3:4d:42:a7:c9:dc:6b:9d:0f:b6:
    7d:e7:ee:9b:45:6d:8f:78:5d:e8:d4:62:e0:bd:cb:
    05:d6:c4:34:af:90:19:f8:0a:86:9f:91:f1:58:78:
    47:95:41:ab:e6:fe:80:c5:c1:ff:bb:1b:45:18:9c:
    cb:08:60:c1:d5:0d:86:24:bd:f7:09:62:22:f7:4a:
    6b:99:80:11:f4:ab:91:22:87:e0:ba:bc:20:cd:43:
    65:9d:9b:ed:63:94:cf:81:1f:7c:e4:de:0a:33:b0:
    d5:1e:ee:e6:66:97:7d:80:8f
publicExponent: 65537 (0x10001)
privateExponent:
    00:a3:0b:3e:ee:ee:0e:93:ac:dd:0e:9e:07:0d:ec:
    ba:7b:2c:b1:54:54:3c:0a:08:9e:cd:3e:8b:28:48:
    71:3f:39:df:cf:39:f0:9c:c5:4e:5d:c6:ec:c9:14:
    76:51:6a:a8:c5:d4:9e:c3:a4:48:f0:d2:7e:cd:92:
    86:5c:be:93:2b:83:a2:4a:21:ad:e5:57:44:91:05:
    9f:17:34:34:1f:08:e6:88:b6:31:bc:ed:41:c6:60:
    e7:16:13:5d:74:77:1d:6b:3b:47:d1:a3:03:2c:68:
    59:a2:88:bb:7b:09:b1:6d:1d:8b:c6:e3:3a:14:e5:
    f3:81:de:21:ef:3e:a5:33:79
prime1:
    00:dd:d5:ff:60:83:29:76:28:ee:8f:c2:6b:bd:b7:
    74:44:a7:92:6c:d6:6c:90:4e:62:af:09:c8:fc:6a:
    c7:73:21:cf:a4:3f:61:bf:e0:ea:ed:94:9f:e4:b3:
    be:77:51:89:1d:e2:3a:a9:d8:be:89:f9:7b:d8:f8:
    92:6b:44:fe:d5
prime2:
    00:c8:31:fd:2c:00:26:3e:90:9f:98:62:c2:9a:35:
    11:c2:48:9e:3d:fb:6e:4d:be:78:9b:ac:dc:de:64:
    8a:91:f0:4f:37:63:bb:88:84:6e:26:b1:83:3c:55:
    cb:b6:83:2e:71:ad:11:0e:90:31:6f:5b:50:d1:d7:
    e0:e1:43:1b:d3
exponent1:
    00:93:f4:2c:75:74:45:6c:f7:73:d5:11:f8:c5:f9:
    db:64:06:d7:94:1b:97:20:d0:06:e5:73:83:47:46:
    f8:6b:83:7b:77:b2:86:41:71:83:7e:9d:87:df:03:
    3a:df:5d:d4:33:c8:35:14:1e:e9:46:20:cd:47:32:
    d2:85:14:e9:59
exponent2:
    16:18:36:49:e1:e6:56:a7:5d:85:d2:f8:89:4e:6c:
    1c:56:29:68:cb:d4:1b:ae:76:df:2f:8f:dc:d7:99:
    d7:8b:7f:22:ac:d6:28:b5:fc:f6:36:47:36:a4:7d:
    6c:32:44:30:f5:99:d9:52:9e:b2:1c:90:e9:e7:fa:
    80:c2:08:53
coefficient:
    00:93:57:ee:3a:76:3a:20:60:bf:27:68:16:db:7b:
    50:1f:bd:8c:4a:bb:b9:24:72:fc:1b:93:e0:b4:2f:
    79:8b:6f:33:40:a1:37:49:2c:ae:92:07:ec:f7:23:
    fa:c8:be:80:20:c4:17:3c:64:1f:22:e9:b3:c4:69:
    de:a6:37:c0:0e
writing RSA key
-----BEGIN RSA PRIVATE KEY-----
MIICXgIBAAKBgQCteoDb5jzpcSv1MKvzCCTGA4Bo001Cp8nca50Ptn3n7ptFbY94
XejUYuC9ywXWxDSvkBn4CoafkfFYeEeVQavm/oDFwf+7G0UYnMsIYMHVDYYkvfcJ
YiL3SmuZgBH0q5Eih+C6vCDNQ2Wdm+1jlM+BH3zk3gozsNUe7uZml32AjwIDAQAB
AoGBAKMLPu7uDpOs3Q6eBw3sunsssVRUPAoIns0+iyhIcT8538858JzFTl3G7MkU
dlFqqMXUnsOkSPDSfs2Shly+kyuDokohreVXRJEFnxc0NB8I5oi2MbztQcZg5xYT
XXR3HWs7R9GjAyxoWaKIu3sJsW0di8bjOhTl84HeIe8+pTN5AkEA3dX/YIMpdiju
j8Jrvbd0RKeSbNZskE5irwnI/GrHcyHPpD9hv+Dq7ZSf5LO+d1GJHeI6qdi+ifl7
2PiSa0T+1QJBAMgx/SwAJj6Qn5hiwpo1EcJInj37bk2+eJus3N5kipHwTzdju4iE
biaxgzxVy7aDLnGtEQ6QMW9bUNHX4OFDG9MCQQCT9Cx1dEVs93PVEfjF+dtkBteU
G5cg0Ablc4NHRvhrg3t3soZBcYN+nYffAzrfXdQzyDUUHulGIM1HMtKFFOlZAkAW
GDZJ4eZWp12F0viJTmwcViloy9QbrnbfL4/c15nXi38irNYotfz2Nkc2pH1sMkQw
9ZnZUp6yHJDp5/qAwghTAkEAk1fuOnY6IGC/J2gW23tQH72MSru5JHL8G5PgtC95
i28zQKE3SSyukgfs9yP6yL6AIMQXPGQfIumzxGnepjfADg==
-----END RSA PRIVATE KEY-----

Now, make a CERTIFICATE from that KEY: (new request in x509 format do not encrypt with DES make it expire in 3 years use the key sample.key and put the output in sample.cert)

openssl req -new -x509 -nodes -sha1 -days 1095 -key sample.key -out sample.cert
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:VA
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Sample Org
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:sample.domainname.org
Email Address []:webmaster@sample.domainname.org

This results in a cert like:

-----BEGIN CERTIFICATE-----
MIIDYzCCAsygAwIBAgIJAPIJivIiqkE6MA0GCSqGSIb3DQEBBQUAMH8xCzAJBgNV
BAYTAlVTMQswCQYDVQQIEwJWQTETMBEGA1UEChMKU2FtcGxlIE9yZzEeMBwGA1UE
AxMVc2FtcGxlLmRvbWFpbm5hbWUub3JnMS4wLAYJKoZIhvcNAQkBFh93ZWJtYXN0
ZXJAc2FtcGxlLmRvbWFpbm5hbWUub3JnMB4XDTA2MTAzMTAzNTgwMFoXDTA5MTAz
MDAzNTgwMFowfzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAlZBMRMwEQYDVQQKEwpT
YW1wbGUgT3JnMR4wHAYDVQQDExVzYW1wbGUuZG9tYWlubmFtZS5vcmcxLjAsBgkq
hkiG9w0BCQEWH3dlYm1hc3RlckBzYW1wbGUuZG9tYWlubmFtZS5vcmcwgZ8wDQYJ
KoZIhvcNAQEBBQADgY0AMIGJAoGBAK16gNvmPOlxK/Uwq/MIJMYDgGjTTUKnydxr
nQ+2fefum0Vtj3hd6NRi4L3LBdbENK+QGfgKhp+R8Vh4R5VBq+b+gMXB/7sbRRic
ywhgwdUNhiS99wliIvdKa5mAEfSrkSKH4Lq8IM1DZZ2b7WOUz4EffOTeCjOw1R7u
5maXfYCPAgMBAAGjgeYwgeMwHQYDVR0OBBYEFGvu+JmZeJ9rOOjyJK5JoQScl8gF
MIGzBgNVHSMEgaswgaiAFGvu+JmZeJ9rOOjyJK5JoQScl8gFoYGEpIGBMH8xCzAJ
BgNVBAYTAlVTMQswCQYDVQQIEwJWQTETMBEGA1UEChMKU2FtcGxlIE9yZzEeMBwG
A1UEAxMVc2FtcGxlLmRvbWFpbm5hbWUub3JnMS4wLAYJKoZIhvcNAQkBFh93ZWJt
YXN0ZXJAc2FtcGxlLmRvbWFpbm5hbWUub3JnggkA8gmK8iKqQTowDAYDVR0TBAUw
AwEB/zANBgkqhkiG9w0BAQUFAAOBgQB1bAYEe5EbTbZB4ijWJAHubs0Mj2OyERL6
Kg7U5Nrmw61WDuUbZCeO1UEzz30hdgXwQ3Yc1QM/mT/99lW+tsDmoWVska7PHfRs
reFO01qpo2fJn1tLXxvGsjQVzhtlQmz9kkbJGh+M8vGqGqCixot9yoZOmpu/nO3y
EZ9Ap4xJ7A==
-----END CERTIFICATE-----

Note, no where were we required to put in a passphrase/password for that key. That may be ideal for your requirements (hands-off restart of webserver for instance). If that is the case, excellent… If it is NOT the case then adding a passphrase to your key is as simple as: ( work on the RSA keyfile sample.key, encrypt it with AES256 and put the resultant file in sample.pem )

openssl rsa -aes256 -in sample.key -out sample.pem 
writing RSA key
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:

The resultant key looks like:

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,560C52616DD7C5F444BD84EFAB0E20FE

eBEYVxoZImpGVrHKSrORW3ph7AUhIMTkaNOdDlGo029j+GKeD2Gc+7tRhMmx1io1
sAFIiwBrzQD+wVdebU0ErVdSN1kvXlDpw8YlLv2qXLgE7yH9JD+ymzoXWeAQVq7Q
icXsvaXjeM1W237U6xZmvNLkKEW+V7T0Cq4OICAMoo3ijtz6U/d7qmtHU7dGjo8d
2MFNYeZJSYlxUFc9zB6r8FGQqBkVQYCGSXoEVZhD9Rvvbpm8vHfkSXTx+7Lg7r6n
0tU0lw9c6MxifGI9gBP5gvtZ/1JCNW0hWnGeBr8O6CYKtzp8CTRzZzs90PieHpkZ
zE64g6+6KUpN/eeU2PngQ5YNRiaH5Jj4r+Ir4mp5TnHhb4VpxdUe4dqWtceHnTee
WIK2cUNe3AOpVT2bUjK2FIYs+2t0qcrLznyvrE+Y6Ohz96UVn40duk7G2L/0BJ64
0xc1EEvzHeSl5Mah/QVVXap+1T0iCVQvGNaiKFOZ0hnHmMv3+lOKRzSk+aRbytiB
GeHKrmWGf8ZM2x3l/dwMrTz4xGCr6EkjHUB7BqN7h2sTye09F/BGJ5C6COq/dDql
g5zBkS4IA0huS9HQ+RIVpaYYDfQ0FBKItmlK/mDmXLtJD12MAKx5TMArPujyHvhQ
SNnOFiBTRLE7wJXyxakmVjL5ZyGK0ViLD057cLW1+7rv/vilZv8b/SZVb9vfRY+b
+ne3ZkY8etQJRTok9pxLJihfWn8rd4qM8HWe8VQWvlB0GvPTzKgh38G0nLpdn5bI
7hXs1t1K1xH9sqocXVgkpVWHIroT0gjAIFwGQZomJDPzeDRrqj6QBBAaqnlsSQhi
-----END RSA PRIVATE KEY-----

Ok, any questions?