What is a Self-Signed Certificate?

A self-signed certificate is a digital certificate that is signed by its own creator rather than a trusted Certificate Authority (CA). Unlike certificates issued by CAs like Let's Encrypt, DigiCert, or Comodo, self-signed certificates are not automatically trusted by browsers and operating systems.

Digital certificates use public-key cryptography to establish secure, encrypted connections between clients and servers. They contain information about the certificate holder (subject), the issuer, validity period, and a public key. When a server presents a certificate, the client verifies it against trusted root certificates to ensure the connection is secure and authentic.

How Does Certificate Generation Work?

The certificate generation process involves several cryptographic steps:

  1. Key Pair Generation: An RSA key pair (public and private keys) is generated. The private key must be kept secret, while the public key is embedded in the certificate.

  2. Certificate Creation: A certificate structure is created containing the subject information (Common Name, Organization, Country, etc.), validity dates, and the public key.

  3. Self-Signing: The certificate is digitally signed using the private key and a hash algorithm (SHA-256, SHA-384, or SHA-512). This signature allows anyone with the public key to verify the certificate's integrity.

  4. PEM Encoding: The certificate and private key are encoded in PEM (Privacy-Enhanced Mail) format, a Base64-encoded format widely supported by servers and applications.

Tool Description

This tool generates self-signed X.509 certificates and their corresponding private keys directly in your browser. No data is sent to any server—all cryptographic operations happen locally using the node-forge library. You can customize the certificate's subject fields, key size, validity period, and signature algorithm to match your specific requirements.

Examples

Basic localhost certificate:

  • Common Name: localhost
  • Key Size: 2048 bits
  • Validity: 1 year
  • Algorithm: SHA-256

Development server certificate:

  • Common Name: dev.myapp.local
  • Organization: My Company
  • Country: US
  • Key Size: 2048 bits
  • Validity: 2 years

Output format (Certificate):

-----BEGIN CERTIFICATE-----
MIIDXTCCAkWgAwIBAgIJAJC1HiIAZAiUMA0GCSqGSIb3QasEBBUAMEUxCzAJBgNV
...
-----END CERTIFICATE-----

Output format (Private Key):

-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEA0Z3VS5JJcds3xfn/ygWyF8PbnGy...
...
-----END RSA PRIVATE KEY-----

Features

  • Browser-based generation: All cryptographic operations run locally in your browser with no server communication
  • Configurable key sizes: Choose from 1024, 2048, 3072, or 4096-bit RSA keys for different security levels
  • Multiple signature algorithms: Support for SHA-256, SHA-384, and SHA-512 hashing algorithms
  • Complete X.509 fields: Set Common Name, Organization, Organizational Unit, Country, State, and Locality
  • Flexible validity periods: Generate certificates valid from 30 days to 10 years

Certificate Fields Explained

Field Description Example
Common Name (CN) The domain name or hostname the certificate is for localhost, example.com
Organization (O) Legal name of the organization Acme Corporation
Organizational Unit (OU) Department or division IT Department
Country (C) Two-letter ISO country code US, GB, DE
State/Province (ST) State or province name California
Locality (L) City or town name San Francisco

Key Size Recommendations

  • 1024 bits: Not recommended for production; suitable only for testing
  • 2048 bits: Standard security level; recommended for most use cases
  • 3072 bits: Enhanced security; good for sensitive development environments
  • 4096 bits: Maximum security; slower generation but highest protection

Use Cases

  1. Local development servers: Create HTTPS certificates for localhost to test secure features like Service Workers, Geolocation API, or WebRTC that require secure contexts

  2. Internal testing environments: Generate certificates for staging servers and QA environments where CA-signed certificates are unnecessary

  3. Docker and containerized applications: Secure communication between containers in development or isolated networks

  4. API development and testing: Enable HTTPS for local API servers to test OAuth flows, secure webhooks, and certificate pinning

  5. Learning and education: Understand how SSL/TLS certificates work by generating and inspecting your own certificates

Installation Instructions

After generating your certificate, you'll need to configure your server and potentially trust the certificate:

For Node.js/Express:

const https = require("https");
const fs = require("fs");

const options = {
  key: fs.readFileSync("private-key.pem"),
  cert: fs.readFileSync("certificate.pem"),
};

https.createServer(options, app).listen(443);

For nginx:

server {
    listen 443 ssl;
    ssl_certificate /path/to/certificate.pem;
    ssl_certificate_key /path/to/private-key.pem;
}

Trusting the certificate (macOS):

  1. Open Keychain Access
  2. Import the certificate.pem file
  3. Double-click the certificate and set "Trust" to "Always Trust"

Trusting the certificate (Windows):

  1. Double-click the certificate.pem file
  2. Click "Install Certificate"
  3. Choose "Local Machine" and place in "Trusted Root Certification Authorities"

Security Considerations

  • Never use self-signed certificates in production for public-facing websites
  • Keep your private key secure—anyone with access can impersonate your server
  • Self-signed certificates will show browser warnings because they're not trusted by default
  • Use short validity periods for development to encourage certificate rotation
  • Consider using tools like mkcert for development if you need trusted local certificates