zLinux‎ > ‎

Self sign Strong Certificate openssl and apache

First we have to generate a certificate signing request plus a private key.

(in the openssl.cnf file you can edit default_bits = 4096 and the certificate will be a strong one)

openssl req -config openssl.cnf -new -out localhost.csr -keyout localhost.pem

You will be asked for some information:

PEM pass phrase: - a long and secure (not a simple) password
Country Name: - a two letter code for your country (swiss = CH; netherlands = NL, …)
State or Province Name: - the province you live in (optional)
Locality Name: - the city you live in (optional)
Organization Name: - (optional)
Organizational Unit Name: - (optional)
Common Name: - The complete domain, for what you are creating the certificate. In this case "localhost"
The correct entry is important, because the here choosen name is verified later!!!

Email Address - (optional)
A challenge password - This attribut you can ignore, because we will sign our certificate by ourself.
An optional company name - (optional)

As next step we will remove the passphrase/password from the private key and save it in a new file.

openssl rsa -in localhost.pem -out localhost.key

At least we will generate our own certificate. Usually this is done by a CA, but in our case we are our own CA.

openssl x509 -sha512 -in localhost.csr -out localhost.crt -req -signkey localhost.key -days 3650

> If you want to generate one certificate for multiple servernames, this can be done with an additional "multidomain.cnf" file, in which the needed information has been placed before. This file can be included:

openssl x509 -sha512 -in localhost.csr -text -extfile multidomain.cnf -out localhost.crt -req -signkey localhost.key -days 3650

With the value -days 3650 the certificate is valid for 10 years. That should be enough.