How to Quickly Generate a Self-Signed PEM Certificate for Testing WebSocket Connections (WSS)


2 views

When working with WebSocket Secure (WSS) connections, many third-party applications require certificates in PEM format. While production environments should always use properly signed certificates from Certificate Authorities (CAs), development and testing scenarios often need quick solutions.

Here's the fastest way to generate a self-signed certificate that will work for testing:

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes -subj "/CN=localhost"

This command creates:

  • A 4096-bit RSA private key (key.pem)
  • A self-signed certificate (cert.pem) valid for 365 days
  • Both files in PEM format

Some applications expect both components in a single file:

cat key.pem cert.pem > combined.pem

For Apache HTTP Server testing, you'll need to configure your virtual host:

<VirtualHost *:443>
    SSLEngine on
    SSLCertificateFile /path/to/cert.pem
    SSLCertificateKeyFile /path/to/key.pem
    # Other SSL directives...
</VirtualHost>

To create certificates for specific test domains:

openssl req -x509 -newkey rsa:4096 -keyout domain.key -out domain.crt -days 365 -nodes -subj "/CN=test.example.com"

Here's how to use the generated certificate in a Node.js WebSocket server:

const fs = require('fs');
const https = require('https');
const WebSocket = require('ws');

const server = https.createServer({
  cert: fs.readFileSync('cert.pem'),
  key: fs.readFileSync('key.pem')
});

const wss = new WebSocket.Server({ server });

wss.on('connection', (ws) => {
  // Handle WebSocket connections
});

server.listen(8080);

While these certificates are fine for development, remember:

  • Self-signed certificates will trigger browser warnings
  • Never use them in production environments
  • Consider using Let's Encrypt for production certificates

For those who prefer GUI tools:

  • XCA (Windows/Linux/macOS)
  • Keychain Access (macOS)
  • Windows Certificate Manager

Generating a self-signed SSL certificate is a common task for developers who need to test HTTPS functionality locally or in staging environments. While not suitable for production, self-signed certificates provide a quick way to enable encryption during development.

Before we begin, ensure you have:
- Apache web server installed
- OpenSSL package installed
- Root or sudo privileges

Here's the complete process to create and configure a self-signed certificate:


# Generate private key and certificate
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
-keyout /etc/ssl/private/apache-selfsigned.key \
-out /etc/ssl/certs/apache-selfsigned.crt

You'll be prompted to enter information about your organization. For testing purposes, you can leave most fields blank or enter dummy values.

Create or modify your SSL configuration file (typically in /etc/apache2/sites-available/default-ssl.conf):


<VirtualHost *:443>
    ServerName yourdomain.com
    DocumentRoot /var/www/html
    
    SSLEngine on
    SSLCertificateFile /etc/ssl/certs/apache-selfsigned.crt
    SSLCertificateKeyFile /etc/ssl/private/apache-selfsigned.key
    
    # Other configuration directives...
</VirtualHost>

Enable the SSL module and your new site:


# Enable SSL module
a2enmod ssl

# Enable the SSL virtual host
a2ensite default-ssl

# Restart Apache
systemctl restart apache2

Verify your setup by visiting https://localhost in your browser. You'll see a security warning (expected for self-signed certificates) which you can bypass for testing purposes.

For quick testing, you can generate everything with one command:


openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes

This creates both the private key (key.pem) and certificate (cert.pem) in your current directory.

Remember that self-signed certificates:
- Will trigger browser warnings
- Don't provide identity verification
- Should never be used in production
- Are only suitable for development and testing