Generate Self-signed Cert

If you are unable to get a certificate from your CA, then a self-signed certificate maybe helpful while performing a POC or working in a non-production envornment.

Self-signed certs are not recommended for production use

The steps below describe how you can generate a self-signed certificate on CentOS 8.x.

Use the steps below to:

  • Install mod_ssl
  • Create the SSL key and certificate files with the openssl command
dnf install mod_ssl

Create a local root CA

openssl genrsa -aes256 -out mylocalCA.key 2048
openssl req -x509 -new -nodes -key mylocalCA.key -sha256 -days 1825 -out mylocalCA.pem

Generate a self-signed cert

openssl genrsa -out 2048
openssl req -new -key -out

Create a config file with the following content

Create a file called

keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
DNS.1 =

Execute the following command

openssl x509 -req -in -CA mylocalCA.pem -CAkey mylocalCA.key -CAcreateserial -out -days 825 -sha256 -extfile

The table below explains each of the parameters.

opensslCommand line tool for creating and managing OpenSSL certificates, keys, and other files
req -x509Specifies that we want to use X.509 certificate signing request (CSR) management. X.509 is a public key infrastructure standard that SSL and TLS adhere to for key and certificate management
nodesTells OpenSSL to skip the option to assign a passphrase to the certificate with a passphrase. This is needed because we need Apache to read this file without user intervention during server startup.
daysPeriod of time that the certificate will be considered valid.
newKey rsa:2048Specifies that we want to generate a new certificate and a new key, which is 2048 bit long, at the same time
keyoutLocation where the key file should be placed
outLocation where the certificate should be placed.