How to self-sign a digital certificate

Digital Certificates

Digital certificates are electronic fingerprints that securely associate a signer with a transaction. They are signed in PKI(Public Key Infrastructure) format to allow for universal acceptance.

svg viewer

Like signatures, these certificates are unique to each signer. PKI is used to generate two keys - public and private.

A signer signs the document using the private key. This generates a hash and encrypts the certificate along with additional details such as the time and date of the sign.

When another user visits the website and downloads the certificate, he uses the signer’s public key to decrypt the file. If the user is unable to decrypt, this means that there has been some tampering with the certificate and that the webpage is not safe.

To generate a certificate, PKI requires that a credible Certificate Authority (CA) be used. However, users can sign and upload their certificates on their browsers. These certificates will not work on other computers as the browser does not consider them safe.

Procedure for self-signing a certificate

1. Become a Certificate Authority(CA)

  • Copy the configuration file from /usr/lib/ssl/openssl.cnf that ends with .conf to your working directory.
  • Create specific subdirectories as given by the configuration file.
widget

Note: For the index.txt, create a blank file.

  • Generate a self-signed certificate for the CA with the following command:
openssl req -new -x509 -keyout ca.key -out ca.crt -config openssl.cnf

Users will be prompted for specific information. Do not lose the password. The password will be required each time a certificate needs to be signed.

The output is stored in files ca.key and ca.cert.

2. Sign a Certificate

Generate a private/public key pair

The company needs to first create its public/private keypair. We can run the following command to generate an RSA keypair. You will also be required to provide a password to encrypt the private key. These keys will be stored in the server.key file:

openssl genrsa -aes128 -out server.key 1024

The server.key is an encoded text file. To see the actual content, run:

openssl rsa -in server.key -text

Generate a Certificate Signing Request (CSR) Once the website has the key file, it should generate a CSR that includes the company’s public key. The CA will then generate a certificate for the key. To generate a CSR, type:

openssl req -new -key server.key -out server.csr -config openssl.cnf

Generate Certificates Usually, the CA processes the CSR request, but, as we are the CA, we need to process the request by typing:

openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key -config openssl.cnf

Note: OpenSSL may reject the request if the names in the requests do not match.

There, now you have a self-signed Digital Certificate without paying anyone.

The only issue is that these will only work on your browser once you add the CA to your browser’s Trusted CA list.

Free AI Mock Interviews
Coding Interview
Coding PatternsFree Interview
Gain insights and practical experience with coding patterns through targeted MCQs and coding problems, designed to match and challenge your expertise level.
System Design
You TubeFree Interview
Learn to design a video streaming platform like YouTube by tackling functional and non-functional requirements, core components, and high-level to detailed design challenges.

Free Resources

Copyright ©2025 Educative, Inc. All rights reserved