How to create a self-signed certificate

Updated 2026-06-21

A self-signed certificate is an SSL/TLS certificate you sign with your own key instead of paying a certificate authority. To create one, you generate an RSA key pair, build an X.509 certificate that lists the hostnames you'll serve, sign it with that key, and export the cert and key as PEM files. You can do the whole thing in your browser — no OpenSSL install, no command line.

What you need to decide first

A self-signed cert is built from a few fields. Get these right and the certificate will work the first time:

• Common Name (CN): the primary hostname, usually localhost for local dev.
• Subject Alternative Names (SANs): the real list browsers check. Modern browsers ignore the CN and require the hostname to appear here. Include every name and IP you'll use, comma-separated — for example localhost, 127.0.0.1, dev.local.
• Validity: how many days the cert is good for. 365 is typical; for throwaway dev certs a shorter window is fine.
• Key size: RSA 2048 is the standard and fast to generate; 4096 is stronger but slower.

The single most common mistake is leaving out SANs. A cert with only a CN will throw a NET::ERR_CERT_COMMON_NAME_INVALID error in Chrome even though it looks valid.

Generate it in the browser

1. Open the Self-Signed Certificate Generator.
2. Set the Common Name (e.g. localhost).
3. Fill Subject Alternative Names with every host and IP you need.
4. Choose validity days and key size, then click Generate certificate.

You'll get back the certificate in PEM format (the .crt file), the matching private key (the .key file), a DER version for tools that need binary, and a SHA-256 fingerprint you can use to pin or verify the cert. The key pair is generated with node-forge entirely inside the tab, so the private key never touches a server — important, because a leaked private key defeats the whole point of TLS.

Use the .crt and .key, or a .p12 bundle

Most servers want the two PEM files. In Node, point your HTTPS server at the .key and .crt. In nginx, set ssl_certificate to the .crt and ssl_certificate_key to the .key. Then trust the .crt locally (add it to your OS or browser trust store) so you stop seeing the warning screen.

If your platform prefers a single combined file — IIS, many Java keystores, or importing into the macOS/Windows certificate store — enter a PKCS#12 passphrase before generating. The tool then also exports a .p12 bundle containing both the certificate and the private key, protected by that passphrase.

A note on where these belong

Self-signed certificates are for local development and testing only. Browsers will always warn on them because no trusted authority vouches for them, so never put one on a public production site — use a CA like Let's Encrypt there. For localhost HTTPS, internal tools, and test environments, a self-signed cert is exactly the right call.

Ready to make one? Generate your cert in seconds with the Self-Signed Certificate Generator — nothing leaves your browser.

Try the Self-Signed Certificate Generator →