There are no notfications.

This article was last reviewed for Debian 9 (Stretch).

Generating a self-signed public key certificate (Debian)

Generating a self-signed public key certificate (Debian)
Author: Stefán Örvar Sigmundsson
Initial publication:
Last updated:
Written in: English (United Kingdom)

A public key certificate is an electronic document used to prove ownership of a public key. Public-key cryptography (or asymmetric cryptography) is the main technique used to secure communication over the Internet. The primary protocols implementing such communication are Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL). The certificates are therefore commonly referred to as TLS/SSL certificates. This article will demonstrate how to generate a self-signed public key certificate on Debian or its derivatives such as Ubuntu and Linux Mint.


Self-signed public key certificates are intended for development and testing exclusively and not for production as they do not provide real assurance of the ownership of the public key. Client-side software such as web browsers will advise their users not to trust servers unless their public key certificates have been issued and certified by certificate authorities. Self-signed certificates do however enable the use of encryption and are therefore secure for communication.

Issuer Secure
HTTP 80 None Nobody No No
HTTPS 443 TLS/SSL Self-signed Yes No
Certificate authority Yes Yes


The steps to generate a self-signed public key certificate are simple and short:

  1. A private key is generated.
  2. A certificate signing request is generated using the private key.
  3. A public key certificate is generated using the private key and certificate signing request.


A directory is created for organisational purposes to contain the generated files. The directory will be located in /etc/ssl/ according to convention. The directory will be named after the domain name to which its contents relate (in this case

root@computer:~# cd /etc/ssl/
root@computer:/etc/ssl# mkdir
root@computer:/etc/ssl# cd

Private key

The private key (certificate.key) is generated with a sufficiently long modulus (4,096 bits):

root@computer:/etc/ssl/ openssl genrsa -out certificate.key 4096
Generating RSA private key, 4096 bit long modulus
e is 65537 (0x10001)

Certificate signing request

The certificate signing request (certificate.csr) takes 5 required attributes (country name, state or province name, locality name, organization name, common name) and 2 optional attributes (organizational unit name, email address). The extra attributes at the end are entirely unnecessary when certificates are self-signed. Do not use non-ASCII characters for any of the attributes as they will not be displayed correctly:

root@computer:/etc/ssl/ openssl req -new -key certificate.key -out certificate.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:IS
State or Province Name (full name) [Some-State]:Capital Region
Locality Name (eg, city) []:Reykjavik
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example Organisation
Organizational Unit Name (eg, section) []:Information Technology Department
Common Name (e.g. server FQDN or YOUR name) []:*
Email Address []

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Note that the common name attribute was set to * This is a wildcard character and will make the public key certificate a wildcard certificate. It means that the certificate will apply to and all possible subdomains. Wildcard certificates eliminate the need to generate individual certificates for each subdomain with the associated financial cost.

Public key certificate

The public key certificate (certificate.crt) is generated using the certificate signing request (certificate.csr) and the private key (certificate.key):

root@computer:/etc/ssl/ openssl x509 -req -days 365 -in certificate.csr -signkey certificate.key -out certificate.crt
Signature ok
subject=C = IS, ST = Capital Region, L = Reykjavik, O = Example Organisation, OU = Information Technology Department, CN = *, emailAddress =
Getting Private key

After the generation some information about the public key certificate is outputed by the program.


The private key file must be inaccessible to all but the root user as the security of any encrypted communication would be completely compromised should a third party gain access to it:

root@computer:/etc/ssl/ chmod --recursive 770 .

External links