How to generate CA-signed SSL certificates for a Website

What is an SSL certificate?

SSL certificate is a digital certificate that validates the identity of a website and establishes an encrypted connection. SSL (Secure Sockets Layer) is a security protocol that allows encrypted communication between web server and client.

Organizations add SSL certificates to their websites to keep online transactions secure and their customer’s information confidential.

How do these certificates work?

This is how the whole process works:

  1. A user wants to go to a website so the browser tries to connect to its web server securely.
  2. Next, the browser sends the message to the web server to identify itself.
  3. In response, the web server sends a copy of its SSL certificate to the browser.
  4. The browser then verifies whether the certificate is valid and whether it can trust it. If it is authentic, the browser sends the message to the server that it trusts the certificate.
  5. Then the server responds with a digitally signed acknowledgment to begin an SSL-encrypted session.
  6. Now secure communication can occur between the web server and the browser in encrypted form.

Installation Guide

In this tutorial, I will show you how you can generate a self-signed certificate for your website.

In the first part, I will show you how you can become a local Certificate Authority. After becoming a CA, you will be able to sign the certificate for your website.

In the next part, we will see how to generate an SSL certificate and how to get it signed by the CA.


To generate SSL certificates, you need to have OpenSSL toolkit installed on your Linux system. Most Linux distributions come pre-installed with this package, so no worries. But still, to be on the safe side, do check if you have it or not. You can check by running the following command:

If this command returns you with an OpenSSL version number, this means you have it.

Now we will jump straight to the installation part.

Become a Certificate Authority (CA):

This part will show you how you can become a CA with the help of a few simple commands. After that, you will be able to sign a certificate.

Step 1: Make a directory in SSL

First of all, go to the SSL directory with this command:

Next, make a directory here with the name ‘certificates’. You can name it anything you want.

Now go to the certificates directory that you just created with the following command:

Step 2: Generate CA private key

Once you are inside the certificates directory, run the following command to become a local CA:

After running the command, you will be asked for a passphrase. Give something that you can easily remember and hide as it will keep anyone else who has your private key from generating a root certificate of their own.

Step 3: Generate CA certificate

Now we will generate a root certificate with this command:

You will be asked for the passphrase you gave in one of the previous steps. After that, you will be asked a few questions that are not so important to answer. However, in common name, give a something that you can easily recognize your root certificate with, among other certificates.

Now look in the directory, you will have two files:

  • myCA.key (private key)
  • myCA.pem (root certificate)

If you see these two files, you are a CA now. Congratulations!

CA-signed certificate for your website

Now that we have become a CA, we can generate a certificate for a website and sign it.

Step 1: Create a private key for the website certificate

Run the command below to generate a private key for the site. To remember the key, name it using the domain name URL of the website. This is unnecessary, but it helps manage keys if you have different sites.

Step 4: Generate a Certificate Signing Request (CSR)

Now we create a CSR with the following command:

After running the command, you will be asked the same questions as you were asked before. These questions don’t matter. You can fill them with the same information you gave above.

Step 3: Make an X509 V3 certificate extension config file

Next, create a file with the name ssl.ext with the following command:

Open the file with nano editor:

Now add these lines to the file and save it. This step is needed when you are managing more than one website so you add all the domains inside the file. Even if you are using one website, do this step as we have used this file in the next command. The command will not run without creating this file.

Step 4: Generate the certificate

This is the final step where we will generate the certificate using our CA private key, CA certificate, and CSR as shown below:

After this step, we will get our self-signed certificate with the name ssl.crt.

You can configure the certificate by importing it into your browser.


In this detailed guide, we saw how we can become a local Certificate Authority and sign an SSL certificate for our website in simple steps. By doing this, your browser will finally stop giving the “Your connection is not private” error and you will be able to access your website securely.

If you want to know how to check the TLS/SSL certificate expiration date on Ubuntu LTS, visit: