📝 MAILCHECK BLOG

How to Generate a Self-Signed SSL Certificate (Step by Step)

Everything you need to know about creating and using self-signed certificates — with OpenSSL, online tools, and web server setup.

Published: May 1, 2026 · 8 min read

📋 In this article:

What Is a Self-Signed SSL Certificate?

A self-signed SSL certificate is an SSL/TLS certificate that's signed by its own private key instead of a trusted Certificate Authority (CA) like Let's Encrypt, DigiCert, or Sectigo.

The important thing to understand: it provides the exact same encryption as a CA-signed certificate. The difference is trust — browsers and operating systems don't automatically trust self-signed certs because no third party verifies your identity.

When you visit a site with a self-signed certificate, you'll see a warning like:

⚠️ Your connection is not private
NET::ERR_CERT_AUTHORITY_INVALID

When Should You Use a Self-Signed Certificate?

Self-signed certificates are perfect for specific scenarios. Here's when to use them — and when not to:

✅ Good use cases

  • Local development — Test HTTPS features on localhost without buying certs
  • Staging environments — Secure your QA servers before production
  • Internal microservices — Encrypt traffic between services in your VPC
  • IoT and embedded devices — Devices that never need public browser trust
  • Learning and testing — Understand how TLS, certificates, and trust chains work
  • CI/CD pipelines — Integration tests that need HTTPS endpoints

❌ Don't use for

  • Production websites — Browsers will scare your users away
  • Public APIs — Clients won't trust your endpoint
  • Email servers — Other mail servers may reject your TLS connections
  • Anything customer-facing — Always use Let's Encrypt or a commercial CA

Method 1: Generate with OpenSSL (Command Line)

OpenSSL is the standard tool for certificate generation. If you're on Linux or macOS, it's probably already installed. For Windows, download from slproweb.com.

Step 1: Generate a private key

openssl genrsa -out mydomain.key 2048

This creates a 2048-bit RSA private key. Use 4096 instead of 2048 for stronger security (slower generation).

Step 2: Create a Certificate Signing Request (CSR)

openssl req -new -key mydomain.key -out mydomain.csr

You'll be prompted for:

  • Common Name (CN) — Your domain name (e.g., example.com)
  • Organization — Your company name (optional)
  • Country — Two-letter country code (e.g., US, DE)

Step 3: Self-sign the certificate

openssl x509 -req -days 365 -in mydomain.csr -signkey mydomain.key -out mydomain.crt

This creates a certificate valid for 365 days. Adjust -days for your needs (30, 365, 1825 for 5 years, etc.).

One-liner: Skip the CSR

You can generate the key and self-signed cert in one command:

openssl req -x509 -newkey rsa:2048 -keyout mydomain.key -out mydomain.crt -days 365 -nodes -subj "/CN=mydomain.com"

The -nodes flag creates an unencrypted private key (no passphrase).

Method 2: Use an Online SSL Certificate Generator

If you don't want to use the command line — or just need a quick cert — our free SSL Certificate Generator tool generates self-signed certificates instantly:

🔐 Free SSL Certificate Generator

  • ✅ RSA 2048 or 4096
  • ✅ Custom domain, org, country
  • ✅ 30 days to 10 years validity
  • ✅ Download .crt + .key instantly
  • ✅ No signup, no ads, free
⚡ Generate Certificate Now →

The online generator is perfect for:

  • Quick dev certs — no terminal needed
  • Learning — see PEM format output immediately
  • Copy-paste workflow — grab cert and key in your browser
  • Non-technical users — no OpenSSL knowledge required

Installing the Certificate on Nginx

Once you have your .crt and .key files, configure Nginx:

server {
    listen 443 ssl;
    server_name mydomain.com;

    ssl_certificate     /etc/nginx/ssl/mydomain.crt;
    ssl_certificate_key /etc/nginx/ssl/mydomain.key;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;

    location / {
        proxy_pass http://localhost:8080;
    }
}

Then test and reload:

sudo nginx -t && sudo systemctl reload nginx

Installing the Certificate on Apache

<VirtualHost *:443>
    ServerName mydomain.com

    SSLEngine on
    SSLCertificateFile    /etc/apache2/ssl/mydomain.crt
    SSLCertificateKeyFile /etc/apache2/ssl/mydomain.key

    DocumentRoot /var/www/html
</VirtualHost>

Enable SSL and restart:

sudo a2enmod ssl && sudo systemctl restart apache2

Self-Signed vs Let's Encrypt: Which One?

Feature Self-Signed Let's Encrypt
Cost Free Free
Browser trust ❌ Not trusted ✅ Fully trusted
Validity Any duration 90 days (auto-renew)
Domain proof None required Domain ownership check
Setup complexity Simple Requires certbot
Best for Dev, staging, internal Production websites
💡 Rule of thumb: If a browser will ever connect to it → use Let's Encrypt. If it's only machines/services that you control → self-signed is fine.

🔐 Need a Self-Signed Certificate Right Now?

Use our free online SSL Certificate Generator — no command line, no signup. Download .crt and .key files instantly.

⚡ Generate Certificate Now →

🔗 Related Tools & Articles

🔒 SSL Checker 🔐 SSL Generator 📄 SSL Generator Guide 🌐 DNS Lookup 📝 Email Deliverability Checklist

🛡️ Email deliverability issues? Get a professional PDF audit with step-by-step fixes.

📊 Get Fix Report — €9