Self-signing security certificates

Obtaining or self-signing security certificates is a frequent step in my notes. The intent of this post is to DRY out my blog.

To self-sign a certificate, first create a certs/ directory:

mkdir certs
cd certs

In the following command, note the keyout and out options. I like to name my certificates in accordance with my production site’s URL and subdomain (if any). For example, suppose I need a certificate for I set the keyout and out options to and respectively.

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout -out

If you’re like me and you use the jwilder/nginx-proxy Docker image, it won’t find your certificates unless you follow the naming convention above.

Now, make sure that no one but root can look at your private key:

cd ..
sudo chown -R root:root certs
sudo chmod -R 600 certs

Alternatively, if you need validation from a third-party Certificate Authority, I like to use Their site is a little clunky, but they offer certificates for free, so they’re alright in my books.

See also: Chaining intermediate certificates for Nginx