<liclass="toctree-l1 current"><aclass="current reference internal"href="#">How to create self-signed certificates</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="guide_ownca.html">How to create a small CA</a></li>
</ul>
<ul>
<liclass="toctree-l1"><aclass="reference internal"href="../acme_account_module.html">community.crypto.acme_account module – Create, modify or delete ACME accounts</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="../acme_account_info_module.html">community.crypto.acme_account_info module – Retrieves information on ACME accounts</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="../acme_certificate_module.html">community.crypto.acme_certificate module – Create SSL/TLS certificates with the ACME protocol</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="../acme_certificate_revoke_module.html">community.crypto.acme_certificate_revoke module – Revoke certificates with the ACME protocol</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="../acme_challenge_cert_helper_module.html">community.crypto.acme_challenge_cert_helper module – Prepare certificates required for ACME challenges such as <codeclass="docutils literal notranslate"><spanclass="pre">tls-alpn-01</span></code></a></li>
<liclass="toctree-l1"><aclass="reference internal"href="../acme_inspect_module.html">community.crypto.acme_inspect module – Send direct requests to an ACME server</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="../certificate_complete_chain_module.html">community.crypto.certificate_complete_chain module – Complete certificate chain given a set of untrusted and root certificates</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="../ecs_certificate_module.html">community.crypto.ecs_certificate module – Request SSL/TLS certificates with the Entrust Certificate Services (ECS) API</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="../ecs_domain_module.html">community.crypto.ecs_domain module – Request validation of a domain with the Entrust Certificate Services (ECS) API</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="../get_certificate_module.html">community.crypto.get_certificate module – Get a certificate from a host:port</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="../openssh_cert_module.html">community.crypto.openssh_cert module – Generate OpenSSH host or user certificates.</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="../openssh_keypair_module.html">community.crypto.openssh_keypair module – Generate OpenSSH private and public keys</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="../openssl_csr_info_module.html">community.crypto.openssl_csr_info module – Provide information of OpenSSL Certificate Signing Requests (CSR)</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="../openssl_privatekey_info_module.html">community.crypto.openssl_privatekey_info module – Provide information for OpenSSL private keys</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="../openssl_privatekey_pipe_module.html">community.crypto.openssl_privatekey_pipe module – Generate OpenSSL private keys without disk access</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="../openssl_publickey_module.html">community.crypto.openssl_publickey module – Generate an OpenSSL public key from its private key.</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="../openssl_publickey_info_module.html">community.crypto.openssl_publickey_info module – Provide information for OpenSSL public keys</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="../openssl_signature_module.html">community.crypto.openssl_signature module – Sign data with openssl</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="../openssl_signature_info_module.html">community.crypto.openssl_signature_info module – Verify signatures with openssl</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="../x509_certificate_info_module.html">community.crypto.x509_certificate_info module – Provide information of OpenSSL X.509 certificates</a></li>
<spanid="ansible-collections-community-crypto-docsite-guide-selfsigned"></span><h1>How to create self-signed certificates<aclass="headerlink"href="#how-to-create-self-signed-certificates"title="Permalink to this heading"></a></h1>
<p>The <aclass="reference external"href="https://galaxy.ansible.com/community/crypto">community.crypto collection</a> offers multiple modules that create private keys, certificate signing requests, and certificates. This guide shows how to create self-signed certificates.</p>
<p>For creating any kind of certificate, you always have to start with a private key. You can use the <aclass="reference internal"href="../openssl_privatekey_module.html#ansible-collections-community-crypto-openssl-privatekey-module"><spanclass="std std-ref">community.crypto.openssl_privatekey module</span></a> to create a private key. If you only specify <codeclass="docutils literal notranslate"><spanclass="pre">path</span></code>, the default parameters will be used. This will result in a 4096 bit RSA private key:</p>
<p>You can specify <codeclass="docutils literal notranslate"><spanclass="pre">type</span></code> to select another key type, <codeclass="docutils literal notranslate"><spanclass="pre">size</span></code> to select a different key size (only available for RSA and DSA keys), or <codeclass="docutils literal notranslate"><spanclass="pre">passphrase</span></code> if you want to store the key password-protected:</p>
<p>To create a very simple self-signed certificate with no specific information, you can proceed directly with the <aclass="reference internal"href="../x509_certificate_module.html#ansible-collections-community-crypto-x509-certificate-module"><spanclass="std std-ref">community.crypto.x509_certificate module</span></a>:</p>
<p>(If you used <codeclass="docutils literal notranslate"><spanclass="pre">passphrase</span></code> for the private key, you have to provide <codeclass="docutils literal notranslate"><spanclass="pre">privatekey_passphrase</span></code>.)</p>
<p>You can use <codeclass="docutils literal notranslate"><spanclass="pre">selfsigned_not_after</span></code> to define when the certificate expires (default: in roughly 10 years), and <codeclass="docutils literal notranslate"><spanclass="pre">selfsigned_not_before</span></code> to define from when the certificate is valid (default: now).</p>
<p>To define further properties of the certificate, like the subject, Subject Alternative Names (SANs), key usages, name constraints, etc., you need to first create a Certificate Signing Request (CSR) and provide it to the <aclass="reference internal"href="../x509_certificate_module.html#ansible-collections-community-crypto-x509-certificate-module"><spanclass="std std-ref">community.crypto.x509_certificate module</span></a>. If you do not need the CSR file, you can use the <aclass="reference internal"href="../openssl_csr_pipe_module.html#ansible-collections-community-crypto-openssl-csr-pipe-module"><spanclass="std std-ref">community.crypto.openssl_csr_pipe module</span></a> as in the example below. (To store it to disk, use the <aclass="reference internal"href="../openssl_csr_module.html#ansible-collections-community-crypto-openssl-csr-module"><spanclass="std std-ref">community.crypto.openssl_csr module</span></a> instead.)</p>
<ahref="guide_ownca.html"class="btn btn-neutral float-right"title="How to create a small CA"accesskey="n"rel="next">Next <spanclass="fa fa-arrow-circle-right"aria-hidden="true"></span></a>
