OpenSSL is a powerful toolkit for SSL/TLS cryptography. This guide covers generating self-signed certificates, Certificate Signing Requests (CSRs), and a private Certificate Authority (CA) using OpenSSL on Ubuntu 24.04 LTS.
Tested and valid on:
- Ubuntu 24.04 LTS
Prerequisites
- Ubuntu 24.04 LTS server
- OpenSSL installed (pre-installed on Ubuntu 24.04)
- A user with sudo privileges
Step 1 – Verify OpenSSL Installation
Check the installed version:
openssl versionStep 2 – Generate a Self-Signed Certificate
Create a private key and self-signed certificate in one command:
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/mysite.key -out /etc/ssl/certs/mysite.crt -subj "/C=GB/ST=London/L=London/O=MyOrg/CN=mysite.example.com"Step 3 – Generate a Private Key
Generate a 4096-bit RSA key:
openssl genrsa -out /etc/ssl/private/mysite.key 4096Step 4 – Generate a Certificate Signing Request (CSR)
Create a CSR to submit to a public CA:
openssl req -new -key /etc/ssl/private/mysite.key -out /tmp/mysite.csrStep 5 – Create Your Own Certificate Authority
Generate the CA key and certificate:
openssl genrsa -out /tmp/ca.key 4096
openssl req -x509 -new -nodes -key /tmp/ca.key -sha256 -days 1825 -out /tmp/ca.crt -subj "/CN=MyCA"Step 6 – Sign a CSR with Your CA
Issue a signed certificate from your CSR:
openssl x509 -req -in /tmp/mysite.csr -CA /tmp/ca.crt -CAkey /tmp/ca.key -CAcreateserial -out /tmp/mysite.crt -days 365 -sha256Step 7 – Inspect Certificate Details
View certificate information:
openssl x509 -in /tmp/mysite.crt -text -noout | head -30Verify a certificate against its CA:
openssl verify -CAfile /tmp/ca.crt /tmp/mysite.crtConclusion
You can now generate and manage SSL certificates with OpenSSL on Ubuntu 24.04 LTS. For public websites, use Let’s Encrypt (Certbot) for free, automatically-renewed certificates. Use self-signed or internal CA certificates for internal services.
