Differences

This shows you the differences between two versions of the page.

--- how_to:create_an_ssl_certificate [2026/03/23 10:09] – [Generating a CSR using OpenSSL] paul
+++ how_to:create_an_ssl_certificate [2026/03/23 10:18] (current) – [Using OpenSSL] paul
@@ Line 12: / Line 12: @@
 Once you have generated the CSR you need to send it to a Certificate Authority. This is typically someone like GeoTrust, Sectigo etc. They will charge you (typically somewhere betwee £50 to £400 per year) to sign the certificate, and you will need to prove your identity to the CA by some means. The level of this proof usually depends on the type of certificate. Some will just need you to prove you own that domain (eg by acknowledging that you receive an email to the domain), others will need you to send in copies of documentation.
-You can also set up as your own CA. The Windows Server Certificate Server can do this for you, or you can use OpenSSL - see below. This is free, but when you access a service using a certificate signed by your own CA, the email client or web browser may warn you that the certificate is not validated properly, and you will need to accept the warning. The data will still be encrypted just as with a £400 Sectigo certificate, but the warning may not be desirable, and the server's identity will not be verified. It can be useful to use this method for testing, and then have a recognised CA sign the certificate when you are ready for wider deployment.
+You can also generate self-signed certificates. The Windows Server Certificate Server can do this for you, or you can use OpenSSL - see below. This is free, but when you access a service using a self-signed certificate , the email client or web browser may warn you that the certificate is not validated properly, and you will need to accept the warning. The data will still be encrypted just as with a £400 Sectigo certificate, but the warning may not be desirable, and the server's identity will not be verified. It can be useful to use this method for testing, and then have a recognised CA sign the certificate when you are ready for wider deployment.
 Note that the 'Private Key' file MUST NOT require a password to access it.
@@ Line 44: / Line 44: @@
 If you are using Linux, then OpenSSL is usually installed as standard
-OpenSSL has to be used from a command prompt. The following sections give examples of how to perform common tasks using OpenSSL
+OpenSSL has to be used from a command prompt. The following sections give examples of how to perform some common tasks using OpenSSL
 ====Generating a CSR using OpenSSL====
-Run:
+See the 'Using OpenSSL' section above for instructions on installation and usage
+Then run:
   openssl req -newkey rsa:2048 -nodes -keyout key.pem -out csr.pem
@@ Line 68: / Line 70: @@
 ====Generating a self-signed certificate using OpenSSL====
-openssl req -x509 -newkey rsa:4096 -nodes -keyout key.pem -out cert.pem -sha256 -days 365
+See the 'Using OpenSSL' section above for instructions on installation and usage
+Then, run:
+  openssl req -x509 -newkey rsa:4096 -nodes -keyout key.pem -out cert.pem -sha256 -days 365
 This will generate a private key and self-signed certificate with an expiry of 365 days

PSCS Wiki

User Tools

Site Tools

Differences

Page Tools