Create an SSL certificate

Before running the commands shown on this page, you should load the Bitnami stack environment by executing the installdir/use_APPNAME script (Linux and MacOS) or by clicking the shortcut in the Start Menu under “Start -> Bitnami APPNAME Stack -> Application console” (Windows). On OS X VMs, the installation directory is /opt/bitnami and OS X VM users can click the “Open Terminal” button to run commands. Learn more about the Bitnami stack environment and about OS X VMs.

You can create your own SSL certificate with the OpenSSL binary. A certificate request can then be sent to a certificate authority (CA) to get it signed into a certificate, or if you have your own certificate authority, you may sign it yourself, or you can use a self-signed certificate (because you just want a test certificate or because you are setting up your own CA).

IMPORTANT: Mattermost requires a valid SSL certificate for some browsers. As Safari does not allow self-signed certificates for websockets connections, real-time communication may not work properly. You may see the following error on your browser console: “WebSocket network error: OSStatus Error -9809: Invalid certificate chain”. Try using Google Chrome, Firefox or Internet Explorer instead. If you are running a production server, it is advisable that you set up a proper SSL certificate. Learn how to configure SSL certificates.

NOTE: In the following steps, replace the APPNAME placeholder with the name of your application directory.

  • Generate a new private key:

    $ sudo openssl genrsa -out installdir/apps/APPNAME/conf/certs/server.key 2048
  • Create a certificate:

    $ sudo openssl req -new -key installdir/apps/APPNAME/conf/certs/server.key -out installdir/apps/APPNAME/conf/certs/cert.csr

    IMPORTANT: Enter the server domain name when the above command asks for the “Common Name”.

  • Send cert.csr to the certificate authority. When the certificate authority completes their checks (and probably received payment from you), they will hand over your new certificate to you.

  • Until the certificate is received, create a temporary self-signed certificate:

    $ sudo openssl x509 -in installdir/apps/APPNAME/conf/certs/cert.csr -out installdir/apps/APPNAME/conf/certs/server.crt -req -signkey installdir/apps/APPNAME/conf/certs/server.key -days 365
  • Back up your private key in a safe location after generating a password-protected version as follows:

    $ sudo openssl rsa -des3 -in installdir/apps/APPNAME/conf/certs/server.key -out privkey.pem

    Note that if you use this encrypted key in the configuration file, Nginx won’t be able to start. Regenerate the key without password protection from this file as follows:

    $ sudo openssl rsa -in privkey.pem -out installdir/apps/APPNAME/conf/certs/server.key

Find more information about certificates at

Last modification December 17, 2018