tencent cloud

Tencent Cloud EdgeOne

Release Notes and Announcements
Release Notes
Security Announcement
Announcements
Product Introduction
Overview
Strengths
Use Cases
Comparison Between EdgeOne and CDN Products
Use Limits
Purchase Guide
Description of Trial Plan Experience Benefits
Free Plan Guide
Billing Overview
Billing Items
Subscriptions
Renewals
Instructions for overdue and refunds
Comparison of EdgeOne Plans
About "clean traffic" billing instructions
DDoS Protection Capacity Description
Getting Started
Choose business scenario
Quick access to website security acceleration
Quick deploying a website with Pages
Domain Service&Origin Configuration
Domain Service
HTTPS Certificate
Origin Configuration
Site Acceleration
Overview
Access Control
Smart Acceleration
Cache Configuration
File Optimization
Network Optimization
URL Rewrite
Modifying Header
Modify the response content
Rule Engine
Image&Video Processing
Speed limit for single connection download
DDoS & Web Protection
Overview
DDoS Protection
Web Protection
Bot Management
API Discovery(Beta)
Edge Functions
Overview
Getting Started
Operation Guide
Runtime APIs
Sample Functions
Best Practices
Pages
L4 Proxy
Overview
Creating an L4 Proxy Instance
Modifying an L4 Proxy Instance
Disabling or Deleting an L4 Proxy Instance
Batch Configuring Forwarding Rules
Obtaining Real Client IPs
Data Analysis&Log Service
Log Service
Data Analysis
Alarm Service
Site and Billing Management
Billing Management
Site Management
Version Management
General Policy
General Reference
Configuration Syntax
Request and Response Actions
Country/region and Corresponding Codes
Terraform
Overview
Installing and Configuring Terraform
Practical Tutorial
EdgeOne Skill User Guide
Automatic Warm-up/Cache Purge
Resource Abuse/hotlinking Protection Practical
HTTPS Related Practices
Acceleration Optimization
Scheduling Traffic
Data Analysis and Alerting
Log Platform Integration Practices
Configuring Origin Servers for Cloud Object Storage (Such As COS)
CORS Response Configuration
API Documentation
History
Introduction
API Category
Making API Requests
Site APIs
Acceleration Domain Management APIs
Site Acceleration Configuration APIs
Edge Function APIs
Alias Domain APIs
Security Configuration APIs
Layer 4 Application Proxy APIs
Content Management APIs
Data Analysis APIs
Log Service APIs
Billing APIs
Certificate APIs
Origin Protection APIs
Load Balancing APIs
Diagnostic Tool APIs
Custom Response Page APIs
API Security APIs
DNS Record APIs
Content Identifier APIs
Legacy APIs
Ownership APIs
Image and Video Processing APIs
Multi-Channel Security Gateway APIs
Version Management APIs
Data Types
Error Codes
FAQs
Product Features FAQs
DNS Record FAQs
Domain Configuration FAQs
Site Acceleration FAQs
Data and Log FAQs
Security Protection-related Queries
Origin Configuration FAQs
Troubleshooting
Reference for Abnormal Status Codes
Troubleshooting Guide for EdgeOne 4XX/5XX Status Codes
520/524 Status Code Troubleshooting Guide
521/522 Status Code Troubleshooting Guide
Tool Guide
Agreements
Service Level Agreement
Origin Protection Enablement Conditions of Use
TEO Policy
Privacy Policy
Data Processing And Security Agreement
Contact Us
Glossary
DocumentationTencent Cloud EdgeOneDomain Service&Origin ConfigurationHTTPS CertificateRelated ReferencesUsing OpenSSL to Generate Self-Signed Certificates

Using OpenSSL to Generate Self-Signed Certificates

PDF
Focus Mode
Font Size
Last updated: 2025-12-09 16:57:30
All server and client certificates generally need to be applied for from an authoritative certificate authority (CA) to ensure they are trusted by different operating systems and browsers. The CA usually charges a certain fee for the certificate. If you currently only need an HTTPS certificate for testing or in-house use, you can also manually issue a self-signed certificate using OpenSSL. The steps are as follows:
RSA Algorithm Certificate
ECC Algorithm Certificate

Step 1: Generate Root Certificate

1. Generate the root certificate private key through the following command, using an RSA certificate with a 4096 key length as an example, and save the generated private key as a ca-rsa.key file.
openssl genrsa -out ca-rsa.key 4096
2. Use the above certificate private key to generate a Certificate Signing Request (CSR) file, saved as ca-rsa.csr. The following command specifies the basic information of the certificate through -subj, where:
C=CN represents the country.
ST=State represents the province.
L=City represents the city.
O= Example Org represents the organization.
OU=Example CA represents the department.
CN=Example Root CA represents the common name of the certificate. In a CA certificate, this field can describe the purpose of the CA. If it is a domain name certificate, the domain name for certificate issuance needs to be specified in this field.
openssl req -new -key ca-rsa.key -out ca-rsa.csr -subj "/C=US/ST=State/L=City/O=Example Org/OU=Example CA/CN=Example Root CA"
3. Create the root certificate public key based on the certificate signing request file, with a validity of 3650 days, and save it as ca-rsa.crt. The -extfile parameter specifies this certificate as a CA certificate.
openssl x509 -req -in ca-rsa.csr -out ca-rsa.crt -signkey ca-rsa.key -days 3650 -sha256 -extfile <(printf "basicConstraints=critical,CA:TRUE\\nkeyUsage=critical,keyCertSign,cRLSign\\nsubjectKeyIdentifier=hash\\n")
4. Issue the certificate and verify whether it is a CA certificate.
openssl x509 -in ca-rsa.crt -noout -text | grep -A2 "X509v3 Basic Constraints"
The output result contains CA:TRUE, which indicates a correct CA certificate. See the output result below:
X509v3 Basic Constraints: critical
                CA:TRUE    # Indicates the cert is a CA certificate.
            X509v3 Key Usage: critical

Step Two: Issue a Domain Name Certificate

To issue a certificate for the designated domain name www.example.com, you can use the generated CA certificate to start issuing a self-signed domain name certificate:
1. Generate the certificate private key through the following command, using an RSA certificate with a 4096 key length as an example, and save the generated private key as a rsa-domain.key file.
openssl ecparam -name secp384r1 -genkey -noout -out rsa-domain.key
2. Use the above certificate private key to generate a Certificate Signing Request (CSR) file, saved as rsa-domain.csr. The following command specifies the basic information of the certificate through -subj. Please note to replace the CN field content with the domain name you want to issue. In this example, www.example.com is used.
openssl req -new -key rsa-domain.key -out rsa-domain.csr -subj "/C=US/ST=State/L=City/O=Example Org/OU=Example CA/CN=www.example.com"
3. Sign the domain name certificate with the CA certificate, generate the public key with a validity of 3650 days, and save it as rsa-domain.crt.
openssl x509 -req -in rsa-domain.csr -out rsa-domain.crt -CA ca-rsa.crt -CAkey ca-rsa.key -days 3650
4. Compare the CA certificate with the domain name certificate public key to verify whether the certificate chain of the issued domain name certificate is correct.
openssl verify -CAfile ca-rsa.crt rsa-domain.crt
If the output result displays rsa-domain.crt:OK, it indicates that the certificate issuance chain is correct. See the following:
rsa-domain.crt: OK

Step 1: Generate Root Certificate

1. Generate the root certificate private key through the following command, using an ECC certificate with the secp384r1 encryption algorithm as an example, and save the generated private key as a ca-ecc.key file.
openssl ecparam -name secp384r1 -genkey -noout -out ca-ecc.key
2. Use the above certificate private key to generate a Certificate Signing Request (CSR) file, saved as ca-ecc.csr. The following command specifies the basic information of the certificate through -subj, where:
C=CN represents the country.
ST=State represents the province.
L=City represents the city.
O= Example Org represents the organization.
OU=Example CA represents the department.
CN=Example Root CA represents the common name of the certificate. In a CA certificate, this field can describe the purpose of the CA. If it is a domain name certificate, the domain name for certificate issuance needs to be specified in this field.
openssl req -new -key ca-ecc.key -out ca-ecc.csr -subj "/C=US/ST=State/L=City/O=Example Org/OU=Example CA/CN=Example Root CA"
3. Create the root certificate public key based on the certificate signing request file, with a validity of 3650 days, and save it as ca-ecc.crt. The -extfile parameter specifies this certificate as a CA certificate.
openssl x509 -req -in ca-ecc.csr -out ca-ecc.crt -signkey ca-ecc.key -days 3650 -sha256 -extfile <(printf "basicConstraints=critical,CA:TRUE\\nkeyUsage=critical,keyCertSign,cRLSign\\nsubjectKeyIdentifier=hash\\n")
4. Issue the certificate and verify whether it is a CA certificate.
openssl x509 -in ca-ecc.crt -noout -text | grep -A2 "X509v3 Basic Constraints"
The output result contains CA:TRUE, which indicates a correct CA certificate. See the output result below:
X509v3 Basic Constraints: critical
                CA:TRUE    # Indicates the cert is a CA certificate.
            X509v3 Key Usage: critical

Step Two: Issue a Domain Name Certificate

To issue a certificate for the designated domain name www.example.com, you can use the generated CA certificate to start issuing a self-signed domain name certificate:
1. Generate the certificate private key through the following command, using an ECC certificate with the secp384r1 encryption algorithm as an example, and save the generated private key as a ecc-domain.key file.
openssl ecparam -name secp384r1 -genkey -noout -out ecc-domain.key
2. Use the above certificate private key to generate a Certificate Signing Request (CSR) file, saved as ecc-domain.csr. The following command specifies the basic information of the certificate through -subj. Please note to replace the CN field content with the domain name you want to issue, using www.example.com as an example in this case.
openssl req -new -key ecc-domain.key -out ecc-domain.csr -subj "/C=US/ST=State/L=City/O=Example Org/OU=Example CA/CN=www.example.com"
3. Sign the domain name certificate with the CA certificate, generate the public key with a validity of 3650 days, and save it as ecc-domain.crt.
openssl x509 -req -in ecc-domain.csr -out ecc-domain.crt -CA ca-ecc.crt -CAkey ca-ecc.key -days 3650
4. Compare the CA certificate with the domain name certificate public key to verify whether the certificate chain of the issued domain name certificate is correct.
openssl verify -CAfile ca-ecc.crt ecc-domain.crt
If the output result displays ecc-domain.crt:OK, it indicates that the certificate issuance chain is correct.
ecc-domain.crt: OK

Previous Topic: Enabling OCSP StaplingNext Topic: Certificate Format Requirements

Help and Support

Was this page helpful?

Help us improve! Rate your documentation experience in 5 mins.

Feedback