Certificate Depot

Free Self-Signed SSL/TLS Certificate Generator

Keys never stored Free forever, no ads Open source

Generate a Certificate

Enter the domain name or IP address

Tools & Guides

PEM Certificate Decoder

Tool

Convert PEM to PFX (PKCS#12) with OpenSSL

Guide

How Long Should a Self-Signed Certificate Be Valid?

Guide

How to Set Up a Self-Signed Certificate for Nginx

Guide

How to Trust a Self-Signed Certificate in Chrome

Guide

How to Trust a Self-Signed Certificate in Firefox

Guide

How to Trust a Self-Signed Certificate on Windows

Guide

How to Trust a Self-Signed Certificate on macOS

Guide

RSA vs ECDSA for Self-Signed Certificates

Guide

Self-Signed Certificates for localhost Development

Guide

Self-Signed SSL Certificate for Apache HTTP Server

Guide

Self-Signed SSL Certificate for Node.js HTTPS Server

Guide

Self-Signed SSL Certificates in Docker

Guide

Why Subject Alternative Names (SANs) Matter for Modern Browsers

Guide

Frequently Asked Questions

What is a self-signed certificate?
A self-signed certificate is an SSL/TLS certificate that is signed by its own creator rather than a trusted Certificate Authority (CA). It provides the same encryption as a CA-signed certificate, but browsers will show a warning because the identity hasn't been verified by a third party. They are ideal for development, testing, internal tools, and learning.
What key types are supported?
Certificate Depot supports RSA keys (2048-bit and 4096-bit) and ECDSA keys (P-256 and P-384 curves). RSA 2048 is the most widely compatible option. ECDSA keys are smaller and faster, making them a good choice for modern systems. All keys are generated using cryptographically secure random number generation.
What are Subject Alternative Names (SANs)?
SANs allow a single certificate to cover multiple domain names and IP addresses. For example, you can create one certificate for example.com, www.example.com, and *.example.com. Modern browsers require SANs and ignore the Common Name field for validation, so adding SANs is highly recommended.
What is the difference between ZIP and PFX download?
ZIP contains two separate PEM files: the certificate and the private key. This is the most common format for Apache, Nginx, and most Linux-based servers. PFX (also called PKCS#12) bundles the certificate and private key into a single password-protected file. This format is commonly used with IIS, Windows, and Java applications.
Is it safe to generate certificates here?
Certificates are generated in memory on the server and streamed directly to your browser. No private keys are stored or logged. However, since the private key is generated server-side, you should only use certificates from this tool for development and testing purposes. For production use, generate certificates locally using tools like OpenSSL or obtain them from a trusted Certificate Authority.
How do I install the certificate?
Nginx: Point ssl_certificate to certificate.pem and ssl_certificate_key to private-key.pem.
Apache: Use SSLCertificateFile and SSLCertificateKeyFile directives.
Node.js: Pass the PEM files to https.createServer() options.
Windows/IIS: Import the PFX file through IIS Manager or the certificate MMC snap-in.