Create a self-signed certificate with your own root CA

Published at 09 Oct 2024

Almost everyone nowadays uses SSL certificates in almost every project.

Using Let's Encrypt is the easiest way to obtain a free certificate for your project, but if you need to use an SSL certificate locally you probably won't be able to use Let's Encrypt, so you're only left option is generating a self-signed certificate.

A self-signed certificate can be used directly but it will be marked as insecure.

If you want to create a self-signed certificate and use it without being marked as insecure, you should create first your own root CA.

Create a root CA

You can create your own root CA and trust it in every device you need.

openssl genrsa -out rootCA.key 2048

openssl req -x509 -new -nodes \
    -key rootCA.key -days 1024 \
    -out rootCA.pem

With these two commands, you will obtain your root CA public and private keys, with these files you will be able to generate all the SSL certificates you want.

Create a new certificate using our root CA

Once you have your own root CA, you can start creating our SSL certificates.

First, you need to create the private key, then you create a certificate request using the private key.

openssl genrsa -out certificate.key 2048

openssl req -new \
    -key certificate.key \
    -out certificate.req

Usually, this certificate request is sent to the CA in order to obtain a valid certificate. In your case, you don't have to send anyone this file because you own the CA.

So you can create the certificate yourself.

openssl x509 -req \
    -in certificate.req \
    -CA rootCA.pem \
    -CAkey rootCA.key \
    -out certificate.pem \
    -days 500

After this, you can start using this certificate in our project.

Trust your own root CA

In order to get the full potential of having your own root CA, you must trust its certificate.

With a Windows device, you can copy the file rootCA.pem and save it as rootCA.crt, doing this will let recognize it as a certificate file, so you will be able to use the Windows Certificate Manager to install it.

Also, if you're a Firefox user, you should add it to the Firefox Certificate storage, because Firefox has its own certificate collection.

In a Linux environment, you can copy the rootCA.pem into the certificates folder. Also, you need to refresh the CA certificates archive.

cp rootCA.pem /usr/local/share/ca-certificates/
update-ca-certificates --fresh