How to generate a self-signed certificate with OpenSSL - Rocketeers app

  [ Rocketeers ](/)   

[Login](https://rocketeersapp.com/login) 

 On this page

 Knowledge
---------

How to generate a self-signed certificate with OpenSSL
======================================================

### [\#Security](https://rocketeersapp.com/knowledge/security)

A self-signed certificate lets you serve HTTPS for local development or internal services without going through a certificate authority. Here is how to create one with openssl.

 Published by [Mark van Eijk](https://rocketeersapp.com/author/mark-van-eijk) on June 23, 2026 · 1 minute read

1. [When to use a self-signed certificate](#content-when-to-use-a-self-signed-certificate)
2. [Generate a certificate and key in one command](#content-generate-a-certificate-and-key-in-one-command)
3. [Include Subject Alternative Names](#content-include-subject-alternative-names)
4. [Use it in nginx](#content-use-it-in-nginx)
5. [Trust it locally](#content-trust-it-locally)

[\#](#content-when-to-use-a-self-signed-certificate "Permalink")When to use a self-signed certificate
-----------------------------------------------------------------------------------------------------

A self-signed certificate is signed by its own key rather than a trusted CA. That's perfect for **local development, testing, and internal services** where you control the clients. It is **not** suitable for a public website — browsers don't trust it and will show [your connection is not private](/your-connection-is-not-private) to every visitor.

[\#](#content-generate-a-certificate-and-key-in-one-command "Permalink")Generate a certificate and key in one command
---------------------------------------------------------------------------------------------------------------------

This creates a private key and a self-signed certificate valid for one year:

 ```
openssl req -x509 -newkey rsa:2048 -nodes \
  -keyout key.pem -out cert.pem -days 365 \
  -subj "/CN=localhost"

```

- `cert.pem` — the certificate.
- `key.pem` — the private key.

`-nodes` keeps the key unencrypted so a web server can read it without a passphrase.

[\#](#content-include-subject-alternative-names "Permalink")Include Subject Alternative Names
---------------------------------------------------------------------------------------------

Modern browsers ignore the Common Name and require the hostname under **SAN**, or they'll reject the certificate outright. Add it explicitly:

 ```
openssl req -x509 -newkey rsa:2048 -nodes \
  -keyout key.pem -out cert.pem -days 365 \
  -subj "/CN=localhost" \
  -addext "subjectAltName=DNS:localhost,IP:127.0.0.1"

```

[\#](#content-use-it-in-nginx "Permalink")Use it in nginx
---------------------------------------------------------

Point your server block at the two files:

 ```
ssl_certificate     /etc/ssl/cert.pem;
ssl_certificate_key /etc/ssl/key.pem;

```

[\#](#content-trust-it-locally "Permalink")Trust it locally
-----------------------------------------------------------

Your browser will still warn you because nothing vouches for the certificate. For a smoother local setup you can add `cert.pem` to your operating system or browser trust store, or use a tool like `mkcert` that installs a local CA for you.

When you're ready to serve real traffic, request a certificate from a CA with a [CSR](/generate-csr-with-openssl), or use a free automated certificate. Either way, make sure you serve the [full certificate chain](/what-is-an-ssl-certificate-chain).

### Subscribe to our newsletter

Do you want to receive regular updates with fresh and exclusive content to learn more about web development, hosting, security and performance? Subscribe now!

  Fill in your email address to receive updates  Subscribe 

#### More in [\#Security](https://rocketeersapp.com/knowledge/security)

- [How to extract the certificate from a PFX file](https://rocketeersapp.com/knowledge/extract-certificate-from-pfx-file)
- [How to extract private key from PFX file](https://rocketeersapp.com/knowledge/extract-private-key-from-pfx-file)
- [How to optimize web application security](https://rocketeersapp.com/knowledge/optimize-web-application-security)
- [How to get A+ grade SSL using Cloudflare](https://rocketeersapp.com/knowledge/a-plus-grade-ssl-using-cloudflare)
- [How to setup OpenClaw securely on your own VPS](https://rocketeersapp.com/knowledge/setup-openclaw-vps-securely)
- [How to generate a CSR with OpenSSL](https://rocketeersapp.com/knowledge/generate-csr-with-openssl)

 [View all 15 articles →](https://rocketeersapp.com/knowledge/security)