Skip to content


This page has been updated a long time ago. Information found here could be outdated and may lead to missconfiguration.
Some of the links and references may be broken or lead to non existing pages.
Please use this docs carefully. Most of the information here now is only for reference or example!

Create Self Singet Certificate

Easyest Way

You can create Self Signed Certificate for you web server with just one command:

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout mysitename.key -out mysitename.crt



With CSR (Certificate Signing Request) - DES3

Honestly there is no real difference between this and the previous method, if you use a self signed certificate. But if you create CSR you can send it to Certifying Authority (CA) to be signed. And this method is useful when you want to use the same key with different certs.

  • Generate Private Key
    openssl genrsa -des3 -out example.key 2048
    I recommend that create at lease 2048 bit key.
    openssl genrsa -des3 -out example.key 1024
    Generating RSA private key, 1024 bit long modulus
    e is 65537 (0x10001)
    Enter pass phrase for example.key:
    Verifying - Enter pass phrase for example.key:
  • Generate a CSR
    openssl req -new -key example.key -out example.csr Output:

    openssl req -new -key example.key -out example.csr
    Enter pass phrase for example.key:
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    Country Name (2 letter code) [AU]:HU
    State or Province Name (full name) [Some-State]:SomeState
    Locality Name (eg, city) []:City
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:SomeState's Company
    Organizational Unit Name (eg, section) []:Technology
    Common Name (e.g. server FQDN or YOUR name) []
    Email Address []
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:12345678
    An optional company name []:
    At this point you can send your CSR file to a CA, if you need a "real", trusted cert.

  • Remove Passphrase from Key
    If you skip these steps apache will ask for the passphrase at each startup. cp example.key
    openssl rsa -in -out example.key

  • Generating Self-Signed Certificate
    openssl x509 -req -days 365 -in example.csr -signkey example.key -out example.crt

Now you have some new files:

ls -lrt
total 12
-rw-r--r-- 1 janos.vincze bio 761 Aug 15 12:53 example.csr
-rw-r--r-- 1 janos.vincze bio 963 Aug 15 12:59
-rw-r--r-- 1 janos.vincze bio 887 Aug 15 12:59 example.key
-rw-r--r-- 1 janos.vincze bio 1001 Aug 15 13:03 example.crt
But you only need the .key and .crt file to configure apache.

With root key CA

I don't know if there is anybody who wants to use a root CA key on its own webpage(s). I can imagine one scenario when it can be useful. Inside an organization you can create a root CA key and sign all your certificate with it, then import the CA to all clients. For example, you have many web servers inside your intranet and sign all its certificate with your own CA. Clients inside your network can use these webpages as "trusted" provider if the root CA pub key is imported to the browser or to the system. I will show you how to install root CA cert into Firefox and Internet Explorer, but first we need to follow these steps to create the necessary files.

  • Generate ROOT CA
    openssl genrsa -des3 -out rootCA.key 2048
    openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem -config rootCA.conf
    As you can see we are using a configuration file: rootCA.conf So you first need to create something like this:
    distinguished_name = req_distinguished_name
    countryName = HU
    countryName_default = HU
    stateOrProvinceName = Budapest
    stateOrProvinceName_default = Budapest
    localityName = Budapest
    localityName_default = Budapest
    organizationalUnitName  = Technology
    organizationalUnitName_default  = Technology
    commonName = VinczeJanosRootCA
    commonName_default = VinczeJanosRootCA
    organizationName = Some Ltd
    organizationName_default = Some Ltd.
    commonName_max  = 64
  • Generate web server key(s)
    openssl genrsa -out server1.key 2048
    You should generate one key per sites.
  • Generate CSR for the key
    This step is very similar to the previously mentioned.
  • Generate the CSR:
    openssl req -sha256 -new -out server1.csr -key server1.key -config config.cnf
  • Backup the original server key:
    cp server1.key
  • Remove the Passphrase
    openssl rsa -in -out server1.key
    You will use this key on the server.
    NOTE: You can see another config file: config.cnf This is necessary for the server key/crt. And please note that you can use alt.names in the configuration files. This is very useful if you have multiple domain names for one server or virtualhost. For example, you have two domain name: and And these names are associated to one apache virtualhost: -> ServerName and -> ServerAlias.
    Example Config File:

    distinguished_name = req_distinguished_name
    req_extensions = v3_req
    countryName = HU
    countryName_default = HU
    stateOrProvinceName = Budapest
    stateOrProvinceName_default = Budapest
    localityName = Budapest
    localityName_default = Budapest
    organizationalUnitName  = Technology
    organizationalUnitName_default  = Technology
    commonName =
    commonName_default =
    organizationName = Company Ltd.
    organizationName_default = Company Ltd.
    commonName_max  = 64
    [ v3_req ]
    # Extensions to add to a certificate request
    subjectAltName = @alt_names
    DNS.1 =
    DNS.2 =

  • Sign your csr with the root CA key
    openssl x509 -req -in server1.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out server1.crt -days 3650 -extensions v3_req -extfile config.cnf
    This command will create the server1.crt which is to be used on Apache webserver.

Ok now we have the .key and .crt files. Check the cert: openssl x509 -in server1.crt -text -noout


        Version: 3 (0x2)
        Serial Number:
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=HU, ST=Budapest, L=Budapest, OU=Technology, CN=VinczeJanosRootCA, O=Some Ltd.
            Not Before: Aug 16 09:59:59 2016 GMT
            Not After : Aug 14 09:59:59 2026 GMT
        Subject: C=HU, ST=Budapest, L=Budapest, OU=Technology,, O=Company Ltd.
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Alternative Name:
    Signature Algorithm: sha256WithRSAEncryption

Minimal Apache (1.4) configuration

Now we can create an apache self signed certificate with 3 different methods, but as result we have to have one .crt and one .key file. This VirtualHost example redirects all http request to https, and works as a transparent proxy:

<VirtualHost *:80>
        RewriteEngine On
        RewriteCond %{HTTPS} !=on
        RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]

<VirtualHost *:443>
  ServerAdmin webmaster@localhost
  SSLProxyEngine on
  SSLProxyCheckPeerCN off
  SSLProxyVerify none
  SSLProxyCheckPeerName off
  SSLProxyCheckPeerExpire off
  SSLProxyProtocol all

  DocumentRoot /var/www/html

  SSLEngine on

  SSLCertificateFile    /etc/apache2/cert/pve.crt
  SSLCertificateKeyFile /etc/apache2/cert/pve.key
  BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

        DocumentRoot /var/www
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        <Directory /var/www/>
                Options Indexes FollowSymLinks MultiViews Indexes
                AllowOverride all
                Order allow,deny
                allow from all

        ErrorLog ${APACHE_LOG_DIR}/pve-error.log
        CustomLog ${APACHE_LOG_DIR}/pve-access.log combined

        ProxyRequests off
        ProxyPreserveHost on

        ProxyPass /
        ProxyPassReverse /


Import you root CA key to Firefox

If you don't want to get a "self Signed certificate" warning in FF you can import you root ca public key to Firefox with a few easy steps.

  • Go to about:preferences, Advanced, Certificate. And Click View Certificates.
  • In the pop-up window Choose Authories and click "import"
  • Import your rootCA.pem file.

Next time you visit your website FF will trust its certificate.

Last update: October 29, 2021