Skip to main content

Create a Self-Signed SSL Certificate

  • The Subject Alt Names are required in Google Chrome 58 and later, and is used to match the domain name and the certificate.
  • If the domain name is not listed in the certificate's Subject Alternative Names list, you'll get a NET::ERR_CERT_COMMON_NAME_INVALID error message.

1. Generate an OpenSSL CSR Config with your domain information

cat <<"EOF" | sudo tee /tmp/tls.conf > /dev/null
default_bits = 2048
default_keyfile = tls.key
distinguished_name = req_distinguished_name
req_extensions = req_ext
x509_extensions = v3_ca

countryName = Country Name (2 letter code)
countryName_default = LK
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Western Province
localityName = Locality Name (eg, city)
localityName_default = Colombo
organizationName = Organization Name (eg, company)
organizationName_default = Example (Private) Limited
organizationalUnitName = organizationalunit
organizationalUnitName_default = Development
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_default = example.local
commonName_max = 64

subjectAltName = @alt_names

subjectAltName = @alt_names

IP.1 =
DNS.1 = localhost
DNS.2 = example.local
DNS.3 = *.example.local

2. Generate the TLS Certificate and Key

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -config /tmp/tls.conf
  • Add the self-signed certificate to OS Trust Store
# On CentOS
sudo cp tls.crt /etc/pki/ca-trust/source/anchors/tls.crt
sudo update-ca-trust

# On Ubuntu
sudo cp tls.crt /usr/local/share/ca-certificates/tls.crt
sudo update-ca-certificates

# On Windows
certutil.exe -addstore "Root" tls.crt
  • Generate a PFX certificate from tls.crt and tls.key
openssl pkcs12 -export -out tls.pfx -inkey tls.key -in tls.crt

3. References

  1. Create a Self-Signed Certificate for Nginx in 5 Minutes
  2. Establishing Trust to Your Cluster’s CA and Importing Certificates