Linux : How to generate SSL certificate key pair

By | December 3, 2011

Here are the few steps to generate the private key, certificate signed request, self-signed certificate and how to get rid of the passphrase request when starting you’re application .

Okay, let’s start. Go to the directory you want to store you’re certificate stuff. This example will assume you’re common name (aka : host name) will be “secure.certificate.tld”.

The whole process explained down below is a step-by-step procedure for every stage. There is a single command that can do it all (generate the private key without passphrase and the CSR). You can use the following single step command if this is what you need and you should be good to go requesting the certificate from the Certificate Authority (or your SSL vendor) or jump to the self-generated certificate step further below otherwise.

Generate a private key without passphrase + CSR :

Manual step-by-step procedure :

First, create a private key :

Second, create a certificate signed request (known as CSR) :

Almost done. You may now provide the CSR to your Certificate Authority (CA) issuer to obtain you’re certificate. You may also generate a self-signed certificate if you do not need to purchase one. It is absolutely secure to use a self-signed certificate, but a warning will be displayed to you’re visitors that the certificate is not valid. That’s why it’s not appropriate for online sales.

Now, you may notice that every time you start you’re application (that use you’re certificate) ask for passphrase before starting. You can get rid of the passphrase with the following steps.

Backup the key file before :

Then, remove the passphrase :

For more security, make sure the key file is only readable by root :