self-signedself-signed-certificatecertificate-authority

Self Sign Certificates by definition require to generate CA or not necessarily?


I can generate a self-signed certificate using the following classic approach:

openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 \
  -nodes -keyout lr-server-cert.key -out lr-server-cert.crt -subj "/CN=Tal-Yitzhak" \
  -addext "subjectAltName=DNS:Tal-Yitzhak-Alt,DNS:*.internal.lightrun.com,IP:10.50.1.119"

Which basically creates a certificate that is signed with the private key generated in the same step.

But, if I create my own CA (ca.crt, ca.key), then generate a private key tls.key and CSR, then use the CA to sign the CSR and generate a self signed certificate. In that case the 'Issuer to' and 'Issued by' are the same.

Is it considered self sign certificate (with CA) as well? Or not really.

I tried both methods, just asking for what is the right definition for a self signed.


Solution

  • "Self-signed" means that the public key embedded in the certificate validates the signature on the certificate.

    Whether you do that across multiple commands, or just one, it's the same. (Under the covers your one command has to do it as independent steps of making the keypair, making the certificate structure, and signing it.)

    You could also issue another certificate against the same keypair but using this first one as a CA. That would be technically self-signed, but not "self-issued"... and would be confusing, so don't do it. Generally when someone says "self-signed" they are also assuming "self-issued".