Create a Self-Signed Certificate on Debian and Ubuntu
Updated by Nick Brewer
This guide details the process for creating a self-signed SSL certificate on Debian or Ubuntu. Self-signed certificates are suitable for personal use or for applications used internally within an organization.
If you intend to use your SSL certificate on a website powered by Apache, continue to our SSL Certificates with Apache on Debian & Ubuntu guide once you’ve completed the process outlined here.
For an SSL setup with Nginx, please start with our Nginx and SSL guide.
NoteThe steps in this guide require root privileges. Be sure to run the steps below as root or with the
sudoprefix. For more information on privileges see our Users and Groups guide.
Before You Begin
Ensure that your packages are up to date by running
apt-get update && apt-get upgrade.
Create a Self-Signed Certificate
Issue the following command to generate your self-signed certificate. Change
example.com to reflect the fully qualified domain name (FQDN) of the site you intend to use with SSL:
openssl req -new -x509 -sha256 -days 365 -nodes -out /etc/ssl/certs/example.com.crt -keyout /etc/ssl/private/example.com.key
This command creates a
.crt file under the
/etc/ssl/certs directory, and a
.key file under
/etc/ssl/private using these options:
-nodesinstructs OpenSSL to create a certificate that does not require a passphrase. If this option is excluded, you will be required to enter the passphrase in the console each time the application using it is restarted.
-daysdetermines the length of time in days that the certificate is being issued for. For a self-signed certificate, this value can be increased as necessary.
-sha256ensures that the certificate request is generated using 265-bit SHA (Secure Hash Algorithm).
-x509tells OpenSSL to create a self-signed certificate.
You will be prompted to add identifying information for your website or organization. After the command completes, you will have a new
.crt certificate file under
/etc/ssl/certs, and a private
.key file under
Restrict the private key and certificate file properties to be read only by owner:
chmod 400 /etc/ssl/certs/example.com.crt chmod 400 /etc/ssl/private/example.com.key
You may wish to consult the following resources for additional information on this topic. While these are provided in the hope that they will be useful, please note that we cannot vouch for the accuracy or timeliness of externally hosted materials.
- Obtain a Commercially Signed SSL Certificate on Debian & Ubuntu
- Create a Self-Signed Certificate on CentOS and Fedora
- Use One-Time Passwords for Two-Factor Authentication with SSH on Ubuntu 16.04 and Debian 8
- Obtain a Commercially Signed SSL Certificate on CentOS and Fedora
- How to Configure a Firewall with UFW
This guide is published under a CC BY-ND 4.0 license.