This post shows students and new users the steps to generate or create self-signed SSL / TLS certificates in Ubuntu for use with Nginx or Apache web servers locally. A self-signed SSL certificate is a certificate signed by the creator rather than a trusted third-party certificate authority (CA). Self-signed certificates can have the same level of encryption as SSL certificates signed by a trusted CA.

Self-signed certificates are not considered valid by web browsers. So when you navigate to a host using self-signed certificates with any web browser, you will be prompted with a warning that the certificate cannot be trusted.

Most self-signed certificates are created specifically for internal use or in a development environment. Websites or applications on the public Internet do not use self-signed certificates because they cannot be trusted by major web browsers.

If you are a student or a new user learning Linux, the easiest place to start learning is on Ubuntu Linux. Ubuntu is the modern open source Linux operating system for desktops, servers, and other devices.

To get started creating self-signed certificates on Ubuntu Linux, follow the steps below.

How to create self-signed certificates in Ubuntu Linux

To generate an SSL / TLS certificate in Ubuntu, the OpenSSL toolkit is required. This tool is generally installed on Ubuntu Linux by default. If not, run the following commands to install it on Ubuntu.

sudo apt update
sudo apt install openssl

To create a new self-signed SSL certificate, use the openssl req command. Below is the command to generate an SSL / TLS certificate for the domain.

openssl req -newkey rsa:4096 -x509 -sha256 -days 365 -nodes -out example.crt -keyout example.key

The details of the command are as follows:

  • -newkey rsa: 2048 – create a new certificate request and a 2048-bit RSA key.
  • -x509 – create an X.509 certificate.
  • -sha256 – use 265-bit SHA (secure hashing algorithm) to create the certificate
  • -days 365 – the number of days for which the certificate is certified. Usually a year or more
  • -nodes – create a key without a passphrase.
  • -out of example.crt – specify the filename to write the newly created certificate
  • -keyout example.key : Specifies the file name to write the private key.

Once you press ENTER, the command will generate a private key and present you with a series of questions to generate the certificate.

Generating a RSA private key
writing new private key to 'example.key'

It will provide these answers similar to the ones shown below. Replace the details with yours that represent the certificate you are generating.

Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:New York
Locality Name (eg, city) []:New York
Organization Name (eg, company) [Internet Widgits Pty Ltd]:EXAMPLE, Inc.
Organizational Unit Name (eg, section) []:Publishing
Common Name (e.g. server FQDN or YOUR name) []
Email Address []

After that, two files (example.crt and example.key) will be created in the directory where you ran the command. Use these files in your Nginx or Apache configuration to enable HTTPS connections.

You should do that.


In this tutorial we have seen how to create self-signed SSL / TLS certificates in Ubuntu Linux. If you find any errors above or have something to add, use the comment form below.

Write A Comment