make-ssl-cert

make-ssl-cert [OPTIONS] filename-base

-p
    Specifies the full path and filename for the generated private key. If not specified, the key will be saved as filename-base.key.

-r
    Specifies the full path and filename for the generated certificate. If not specified, the certificate will be saved as filename-base.crt.

-d
    Sets the validity period of the certificate in days. The default is typically 365 days.

-n
    Generates the private key without a passphrase. This is commonly used for server deployments where unattended startup is desired.

-e
    Sets the email address field within the certificate's subject information.

-s
    Allows specifying the full subject string for the certificate in a single argument (e.g., "/C=US/ST=NY/L=NYC/O=MyOrg/CN=localhost"). This overrides interactive prompts.

-h
    Displays a help message and exits.

filename-base
    The base name for the output certificate and key files. If specific paths are not provided with -p and -r, files like filename-base.crt and filename-base.key will be created in the current directory.

The `make-ssl-cert` command is a utility script, primarily found on Debian and Ubuntu systems, designed to simplify the creation of self-signed SSL/TLS certificates and their corresponding private keys. It acts as a convenient wrapper around the more complex `openssl` command, automating the necessary steps to generate an X.509 certificate and an RSA private key. Its main purpose is to provide a straightforward method for setting up HTTPS for local development servers, testing environments, or internal services where a certificate signed by a public Certificate Authority (CA) is not required or feasible. By abstracting away the intricacies of `openssl` command parameters, it enables users to quickly provision essential cryptographic assets for secure communication without deep knowledge of OpenSSL's extensive options or interactive prompts.

The certificates generated by `make-ssl-cert` are self-signed. This means they are not trusted by default by web browsers or other client applications, as they are not issued by a recognized Certificate Authority (CA). For public-facing services, a CA-signed certificate (e.g., from Let's Encrypt via Certbot) is required to avoid security warnings and ensure widespread trust. For local development or internal use, you may need to manually import the generated certificate into your system's trust store or browser to avoid security warnings.

When `make-ssl-cert` is executed, it typically creates two essential files in the specified paths or the current directory:
.key: This file contains the private key, which must be kept absolutely secure and confidential.
.crt: This file contains the self-signed X.509 certificate, which can be distributed to clients that need to trust your server.

By default, `make-ssl-cert` may prompt the user for certificate subject information (e.g., Country Name, State, Organization Name, Common Name). This interactive behavior can be completely bypassed by using the `-s` option to provide a full subject string in a single argument, making it suitable for scripting and automated deployments.

The `make-ssl-cert` utility emerged as part of the Debian/Ubuntu ecosystem to simplify the otherwise complex process of generating self-signed SSL certificates using the `openssl` command-line tool. Its development was driven by the need for a user-friendly abstraction layer, making it easier for system administrators and developers to quickly set up HTTPS for local testing and internal services without needing extensive knowledge of OpenSSL's many parameters. It became a standard part of various Debian-based distributions, providing a convenient script for common certificate generation tasks, focusing on ease of use for development and internal network security.

openssl(1), certbot(1), update-ca-certificates(8)