Skip to content
Switch branches/tags
Go to file

Latest commit

declare missing key usage required by Google Chrome (when using TLS 1.3, no pb with TLS 1.2)

Git stats


Failed to load latest commit information.
Latest commit message
Commit time


Generate self-signed x.509 certificates for use with SSL/TLS

Benefits at a glance:

  • Supports multiple domain names in one cert with the SubjectAltName field
  • Trivial to automate — the only required argument is a domain name
  • Automatically set modern options by default (-sha256, -utf8)
  • Easy to install .deb and .rpm packages


Usage: sslfie [OPTION]... DOMAIN [DOMAIN2]...

Generate a self-signed x.509 certificate for use with SSL/TLS.

  -o PATH -- output the cert to a file at PATH
  -k PATH -- output the key to a file at PATH
  -K PATH -- sign key at PATH (instead of generating a new one)
  -c CC   -- country code listed in the cert (default: XX)
  -s SIZE -- generate a key of size SIZE (default: 2048)
  -y N    -- expire cert after N years (default: 10)
  -p      -- prompt for cert values
  -r      -- output csr instead of signing a cert


Ubuntu and Linux Mint

sudo add-apt-repository ppa:mkropat/ppa
sudo apt-get update
sudo apt-get install sslfie

Debian and Friends

Download the .deb package from Latest Releases. Then run:

sudo dpkg -i sslfie*.deb
sudo apt-get install -f	# if there were missing dependencies

CentOS and Friends

Download the .rpm package from Latest Releases. Then run:

sudo yum localinstall sslfie*.noarch.rpm

Standalone Script

Installation isn't required. The sslfie script is entirely self-contained, so you can just download it:

curl -O
chmod +x sslfie

Then run it like so:


Example Usage

Generate a cert for

$ sslfie -c US -o example.crt -k example.key

That's it. You can use openssl to examine the generated certificate:

$ openssl x509 -in example.crt -noout -text | less

Some key lines to look for are:

Subject: C=US,


X509v3 Subject Alternative Name:,

Generate a Certificate Signing Request (CSR)

Did you know that the steps for creating a self-signed certificate with openssl are almost identical to the steps for creating a certificate signing request? I didn't when I named it sslfie, go figure.

If you want to get a real (that is, not self-signed) certificate, sslfie can help you with that too:

$ sslfie -r -p -o example.csr -k example.key

The -r option causes -o to output a CSR instead of a cert. Also notice we're using the -p option, which presents a text UI for inputting the full distinguished name, if you want. Important caveat for using -p: you must use -o and -k to capture the output, because using shell redirection breaks the text UI.

To examine the generated CSR:

$ openssl req -in example.crt -noout -text | less