How to create a self-signed certificate with OpenSSL?

hello dear experts dear opensuse fans

i hope you are well and everything goes all right

i run a server on openSuse.

today i have a question regarding the creation of a SSL-Certificate.

note: i am fairly new to the process of generating a SSL-certificate …: Is it possible to do self signed certification a website without domain name?
to shed a light i have gathered some information: i have read some documentations and sumarize it here - trying to find out the information that helps me to answer the question.
i have gathered some infos here at: https://www.openssl.org/ and at stackoverflow - see below
**
OpenSSL **is a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols.
It is also a general-purpose cryptography library. For more information about the team and community around the project, or to start making your own contributions, start with the community page. To get the latest news, download the source, and so on, please see the sidebar or the buttons at the top of every page. OpenSSL is licensed under an Apache-style license, which basically means that you are free to get and use it for commercial and non-commercial purposes subject to some simple license conditions.

Legalities Please remember that export/import and/or use of strong cryptography software, providing cryptography hooks, or even just communicating technical details about cryptography software is illegal in some parts of the world.
So when you import this package to your country, re-distribute it from there or even just email technical suggestions or even source patches to the authors or other people you are strongly advised to pay close attention
to any laws or regulations which apply to you. The authors of OpenSSL are not liable for any violations you make here. So be careful, it is your responsibility. ssl certificate without domain name
the downloads: [ Downloads ] - /source/index.html
The master sources are maintained in our git repository, which is accessible over the network and cloned on GitHub, at GitHub - openssl/openssl: TLS/SSL and crypto library. Bugs and pull patches (issues and pull requests) should be filed on the GitHub repo. Please familiarize yourself with the license. The table below lists the latest releases for every branch. (For an explanation of the numbering, see our release strategy.) All releases can be found at /source/old. A list of mirror sites can be found here. Note: The latest stable version is the 1.1.1 series.

**The question is: **
Is it possible to do self signed certification a website without domain name? I have read that we can do this with the servicelet’sencrypt.org: it seems so that it does not issue certificate for having no domain name.
i have heard about various options and methods:
a. - getting a certificate from LetsEncrypt that would be trusted by most of the browsers that are out there:
preliminaries: we need a domain that resolves to our server.

  • LetsEncrypt does not issue certs for IP-addresses nor for custom dev-domains like .local. and the like.
    secondly: We - of course are also able to create and sign a certificate ourself, for every domain name we want, or even for IP addresses. The domain name can be anything, and doesn’t necessarily be the one we use to access the site.
    In this case i guess that the webserver won’t mind here.
    But that said i can imagine that our browser will display a whole bunch of warnings and will throw lots of errors, though (CN mismatch and things alike, non-trusted signature and other things more), but if we just skip/ignore those kind of warnings and messages then subesquently we can access the site via HTTPS.

the creation process: How to create a self-signed certificate with OpenSSL

i am on Linux and i guess that we can do this on console: It’s fairly easy to create a self-signed certificate on linux. If we are on Linux we just use the openssl req command.
It can be tricky to create one that can be consumed by the largest selection of clients that aree browsers and command line tools too. The many browsers out there have their own set of requirements, therfore it may be a bit difficult - some browsers are more restrictive than the IETF. The requirements used by browsers are documented at the CA/Browser Forums (see references below). The restrictions arise in two key areas: (1) trust anchors, and (2) DNS names.
so the creation-process can have the following steps - according this documentation taken from here:
ttps://www.ibm.com/support/knowledgecenter/SSMNED_5.0.0/com.ibm.apic.cmc.doc/task_apionprem_gernerate_self_signed_openSSL.html

** Procedure** To generate a self-signed SSL certificate using the OpenSSL, complete the following steps:
Write down the Common Name (CN) for your SSL Certificate. The CN is the fully qualified name for the system that uses the certificate. If you are using Dynamic DNS, your CN should have a wild-card, for example: *.api.com. Otherwise, use the hostname or IP address set in your Gateway Cluster (for example. 192.16.183.131 or dp1.acme.com).
Run the following OpenSSL command to generate your private key and public certificate. Answer the questions and enter the Common Name when prompted.

openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pemCopy

Review the created certificate:

openssl x509 -text -noout -in certificate.pemCopy

Combine your key and certificate in a PKCS#12 (P12) bundle:

 openssl pkcs12 -inkey key.pem -in certificate.pem -export -out certificate.p12Copy

Validate your P2 file.

openssl pkcs12 -in certificate.p12 -noout -info

… taken from here: https://www.ibm.com/support/knowledgecenter/SSMNED_5.0.0/com.ibm.apic.cmc.doc/task_apionprem_gernerate_self_signed_openSSL.html

Here are the options described in more detail, from the documentation at /docs/manmaster/man1/req.html
note: the documentation is actually much more detailed than the following notes; I just summarized it here:


openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days XXX


req

PKCS#10 certificate request and certificate generating utility.


-x509

this option outputs a self signed certificate instead of a certificate request. This is typically used to generate a test certificate or a self signed root CA.


-newkey arg

this option creates a new certificate request and a new private key. The argument takes one of several forms. rsa:nbits, where nbits is the number of bits, generates an RSA key nbits in size.


-keyout filename

this gives back the filename to write the newly created private key to.


-out filename

This specifies the output filename to write to or standard output by default.


-days n

when the -x509 option is being used this specifies the number of days to certify the certificate for. The default is 30 days.


-nodes

if this option is specified then if a private key is created it will not be encrypted.

The documentation from the documentation at /docs/manmaster/man1/req.html
is actually more detailed than the above; I just summarized it here.

As of 2020, the following command serves all our needs, including SAN:
cf How to generate a self-signed SSL certificate using OpenSSL? - Stack Overflow

openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes
-keyout example.key -out example.crt -extensions san -config
<(echo “[req]”;
echo distinguished_name=req;
echo “[san]”;
echo subjectAltName=DNS:example.com,DNS:example.net,IP:10.0.0.1
)
-subj “/CN=example.com

In OpenSSL ≥ 1.1.1, this can be shortened to:

openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes
-keyout example.key -out example.crt -subj “/CN=example.com
-addext “subjectAltName=DNS:example.com,DNS:example.net,IP:10.0.0.1”

It creates a certificate that is:
valid for the domains

example.com 

and

example.net

(SAN),
also valid for the IP address 10.0.0.1 (SAN),
relatively strong (as of 2020) and
valid for 3650 days (~10 years).
It creates the following files:

Private key: example.key
Certificate: example.crt

All information is provided at the command line. There is no interactive input that annoys you. There are no config files you have to mess around with. All necessary steps are executed by a single OpenSSL invocation: from private key generation up to the self-signed certificate.
Remark #1: Crypto parameters
Since the certificate is self-signed and needs to be accepted by users manually, it doesn’t make sense to use a short expiration or weak cryptography.
In the future, you might want to use more than 4096 bits for the RSA key and a hash algorithm stronger than sha256, but as of 2020 these are sane values. They are sufficiently strong while being supported by all modern browsers.
Remark #2: Parameter “-nodes”
Theoretically we could leave out the -nodes parameter (which means “no DES encryption”), in which case example.key would be encrypted with a password. However, this is almost never useful for a server installation, because you would either have to store the password on the server as well, or you’d have to enter it manually on each reboot.

the question is: Is it possible to do self signed certification a website without domain name?
I have read that we can do this with the servicelet’sencrypt.org: it seems so that it does not issue certificate for having no domain name. i have heard about various options and methods that i have described above.

look forward to hear from you
regards

I will answer only the one Q and not about how to generate a self-signed certificate…

Yes, you can create a certificate without a domain name by specifying an IP address instead Note that the CN regardless whether it’s a domain name or IP address must match exactly how the client will connect to the website. Since the CN is essentially part of how the client connects to the website you don’t have much leeway what your CN can be.

TSU