Creating a Self-Signed SSL Certificate
Last updated 27 May 2020
Table of Contents
Check out Automated Certificate Management to see if it meets your needs before going further in this article.
When using the SSL Endpoint feature for non-production applications, you can avoid the costs associated with the SSL certificate by using a self-signed SSL certificate. Though the certificate implements full encryption, visitors to your site will see a browser warning indicating that the certificate should not be trusted.
For apps with controlled distribution this warning can be avoided by creating your own authority certificate and adding it to your users’ browsers.
You can proceed past this warning to view the encrypted site.
The openssl library is required to generate your own certificate. Run the following command in your local environment to see if you already have openssl installed installed.
$ which openssl /usr/bin/openssl
which command does not return a path then you will need to install openssl yourself:
|If you have…||Install with…|
|Mac OS X||Homebrew:
|Windows||Windows complete package .exe installer|
Generate private key and certificate signing request
A private key and certificate signing request are required to create an SSL certificate. These can be generated with a few simple commands.
openssl req command asks for a “challenge password”, just press return, leaving the password empty. This password is used by Certificate Authorities to authenticate the certificate owner when they want to revoke their certificate. Since this is a self-signed certificate, there’s no way to revoke it via CRL (Certificate Revocation List).
More detailed instructions can be found in Creating an SSL Certificate Signing Request.
$ openssl genrsa -des3 -passout pass:x -out server.pass.key 2048 ... $ openssl rsa -passin pass:x -in server.pass.key -out server.key writing RSA key $ rm server.pass.key $ openssl req -new -key server.key -out server.csr ... Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:California ... A challenge password : ...
Generate SSL certificate
The self-signed SSL certificate is generated from the
server.key private key and
$ openssl x509 -req -sha256 -days 365 -in server.csr -signkey server.key -out server.crt
server.crt file is your site certificate suitable for use with Heroku’s SSL add-on along with the
server.key private key.