How to create a self-signed TLS certificate

TLS Certificate - Overview

Transport Layer Security, or in short TLS, is a common security protocol designed to increase privacy and data security for communications over the Internet. TLS uses a digital certificate to validate the public encryption key provided by a device on the internet with its private counterpart. A digital certificate, also known as a public-key certificate, is an electronic document to prove a public cryptographic key’s ownership. Each certificate contains information about the key, identity information of the owner (the subject of the certificate), and a digital signature of an entity that has verified the certificate (the certificate issuer). TLS is based on the older protocol standard named Secure Sockets Layer (SSL), and both terms are sometimes used interchangeably.

The primary use case of TLS is to secure the communication between the clients of different web applications and their servers, such as a web browser loading a website over an encrypted connection. Its usage is not limited to websites’ use, but can also be used to encrypt other forms of communications such as e-mails, messaging solutions, and voice-over-IP (VoIP) applications.

TLS certificates can be generated on any computer, which will be the issuer of the certificate. However, in a traditional public-key infrastructure (PKI) scheme, the certificate issuer is an accredited certificate authority (CA). The CA’s root certificates are included in most modern web browsers, allowing for trusting certificates issued by these companies by default. A self-signed certificate will show a security warning in the web browser by default, requesting the user to check and validate the certificate manually. Recently TLS has become widespread on the Internet, as certificate authorities like Let’s Encrypt are providing domain validated TLS certificates for free. However, there are still some cases where a self-signed TLS certificate can be useful if you do not own a domain name.

In this tutorial, you will learn:

How to create a self-signed TLS certificate?

A self-signed certificate can be issued easily on any computer using the openssl tool.

1 . Run the following command to generate a private key file and a CSR file:

openssl req -new -newkey rsa:4096 -nodes -keyout private_key.txt -out csr.txt -subj "/C=FR/ST=Ile-de-France/L=Paris/O=MyInternetCompanyLTD/"

The following subcommands are used with the openssl base command:

  • req - This subcommand specifies to use the X.509 certificate signing request (CSR) management.
  • newkey rsa:4096 - This subcommand specifies to create a new key and certificate at the same time using a 4096 bit long RSA key.
  • nodes - This option tells OpenSSL to skip the securisation of the certificate using a passphrase.
  • keyout - This subcommand defines the location and file name of the private key file
  • out - This specifies the path and file name of the generated certificate request.
  • sub- The subject for the certficate. Modify the values of these subcommand to your requirements. The CN (common name) represents the domain name you are iissuing the certificate for.

3 . 3 . Generate a file containing all Subject Alternative Names (SAN) for the certificate. These include websites, IP addresses, common names, etc. They are protected by a single SSL Certificate. Create a new file called alt_names.txt and open it in a text editor of your choice. Then edit the file as follows, save it and exit the text editor:,

Make sure to add all domain names and IP addresses that should be protected by the certificate.

4 . Generate the self-signed certficate using the openssl tool:

openssl x509 -req -extfile alt_names.txt -sha256 -days 365 -in csr.txt -signkey private_key.txt  -out certificate.txt

5 . Check using the ls command that you have the follwoing files in your folder:

  • csr.txt - The certficate request
  • private_key.txt - The private key for the certificate
  • certificate.txt - the public key for the certificate

Using a self-signed certificate with a managed Load Balancer

The managed Load Balancer service offers the possibility to use either an auto-generated Let’s Encrypt TLS certificate, your self-generated certificate, or a TLS certificate issued by any other certificate authority.

In this example, we use the previously generated certificate and configure our managed Load Balancer with it. This procedure also works if you purchased a certificate from a certificate authority and got the private and public key with it.

1 . Connect yourself to the Scaleway console and click on Load Balancer in the network section of the side-menu.

2 . Select your Load Balancer you want to configure from the list:

3 . On the Load Balancer overview page, click on SSL Certificates, then Create a SSL certificate:

4 . Enter a name for the new certificate and select Import a Certificate as certificate type.

5 . Get the contents from the private_key.txt and certificate.txt file and copy them into the clipboard:

cat private_key.txt && cat certificate.txt

6 . Paste the complete content of these two files into the form and click Create SSL Certificate:

7 . The new TLS certificate displays in the list of available certificates, and you can use it with your Load Balancer:

For more information about the managed Load Balancer service, refer to the dedicated product documentation.

Discover the Cloud That Makes Sense