Ubuntu: Creating a self-signed certificate using OpenSSL on Ubuntu

There are numerous articles I’ve written  where a self-signed certificate is a prerequisite for deploying a piece of infrastructure.

Here are the quick steps for installing a self-signed certificate on an Ubuntu server.  First we create the destination directory and make sure we have the ssl packages.

# mkdir -p /etc/pki/tls/certs
# chmod 755 /etc/pki/tls/certs
# apt-get install libssl1.0.0 -y

Then we create the self-signed cert good for 10 years with a CN matching the fully qualified name of the host:

# cd /etc/pki/tls/certs
# export FQDN=`hostname -f`
# openssl req -x509 -nodes -days 3650 -newkey rsa:2048 \
-keyout $FQDN.key -out $FQDN.crt \
-subj '/C=US/ST=CA/L=SFO/O=myorg/CN=$FQDN'

This puts two files into the directory: $FQDN.crt (public cert) and $FQDN.key (private key).

There are applications that require this public/private pair in a slightly different format.  For example, haproxy wants a .pem file which is just a concatenation of these files which can be constructed like:

# cat $FQDN.crt $FQDN.key > $FQDN.pem

And Windows application servers like IIS will want a binary .pfx file:

# openssl pkcs12 -export -out $FQDN.pfx \
-inkey $FQDN.key -in $FQDN.pem