How to create Self-signed Certificate with Self-signed RootCA

There is some situations that we need to use a self-signed certificate and sign it with our self RootCA.

for example when you have an internal service that does not offer public access and just needs a certificate to operate securely.

So here we need to know how to Create Self-signed Certificate with Self-signed RootCA.

Here is our environment:

OS: CentOS 7 Linux on VMware
Firewall: firewalld
SElinux: permissive
IP Address:

1- Create Root Key

Attention: this is the key used to sign the certificate requests, anyone holding this can sign certificates on your behalf. So keep it in a safe place!

# openssl genrsa -des3 -out RootCA.key 4096

Note: If you want a non password protected key just remove the -des3 option Create and self sign the Root Certificate

# openssl req -x509 -new -nodes -key RootCA.key -sha256 -days 1024 -out RootCA.crt

Here we used our root key to create the root certificate that needs to be distributed in all the computers that have to trust us.

2- Create certificate

This procedure needs to be followed for each server/appliance that needs a trusted certificate from our CA Create the certificate key

# openssl genrsa -out 2048

3- Create the signing (csr)

The certificate signing request is where you specify the details for the certificate you want to generate. This request will be processed by the owner of the Root key (you in this case since you create it earlier) to generate the certificate.

Important: Please keep in mind that while creating the signing request is important to specify the Common Name providing the IP address or domain name for the service, otherwise the certificate cannot be verified.

I will describe here two ways to generate:

Method A (Interactive)

If you generate the csr in this way, openssl will ask you questions about the certificate to generate like the organization details and the Common Name (CN) that is the web address you are creating the certificate for, e.g

# openssl req -new -key -out

Method B (One Liner)

This method generates the same output as Method A but it’s suitable for use in your automation 🙂 .

# openssl req -new -sha256 -key -subj “/C=US/ST=CA/O=MyOrg, Inc./” -out

If you need to pass additional config you can use the -config parameter, here for example I want to add alternative names to my certificate.

# openssl req -new -sha256 \
-key \
-subj “/C=US/ST=CA/O=MyOrg, Inc./” \
-reqexts SAN \
-config <(cat /etc/ssl/openssl.cnf \
<(printf “\n[SAN]\,”)) \

4- Verify the csr’s content

# openssl req -in -noout -text

5- Generate Self-signed certificate

Generate the certificate using the mydomain csr and key along with the CA Root key

# openssl x509 -req -in -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out -days 500 -sha256

6- Verify the certificate’s content

# openssl x509 -in -text -noout