# GenerateSelfSignedCertificate()

Generates a self-signed SSL/TLS certificate.

Useful for development, testing, and internal services where you don't need a Certificate Authority.

**Requires Extension:** [Crypto Extension](https://download.lucee.org/#17AB52DE-B300-A94B-E058FC978BE4542D)

```
GenerateSelfSignedCertificate( privateKey=any, publicKey=any, keyPair=struct, subject=string, validityDays=numeric, algorithm=string );
```

**Returns:** string

# Arguments

| Argument | Type | Required | Description | Default |
|----------|------|----------|-------------|---------|
| privateKey | any | No | Private key (PEM string or Java object). Provide either privateKey+publicKey OR keyPair. |  |
| publicKey | any | No | Public key (PEM string or Java object). Provide either privateKey+publicKey OR keyPair. |  |
| keyPair | struct | No | Struct with 'private' and 'public' keys (from GenerateKeyPair or Lucee's built-in GenerateRSAKeys). Provide either keyPair OR privateKey+publicKey. |  |
| subject | string | Yes | X.500 distinguished name (e.g., CN=localhost, O=My Company, C=AU) |  |
| validityDays | numeric | No | Number of days the certificate is valid | 365 |
| algorithm | string | No | Signature algorithm (e.g., SHA256withRSA, SHA256withECDSA). Auto-detected if omitted. |  |

# Examples

```cfml
// Generate a self-signed certificate for development/testing
keyPair = GenerateKeyPair( "RSA-2048" );

// Pass the key pair as a struct
cert = GenerateSelfSignedCertificate(
	keyPair = keyPair,
	subject = "CN=localhost, O=My Company, C=AU"
);
// cert is a PEM string starting with "-----BEGIN CERTIFICATE-----"

// Or pass private and public keys individually
cert = GenerateSelfSignedCertificate(
	privateKey = keyPair.private,
	publicKey = keyPair.public,
	subject = "CN=localhost, O=My Company, C=AU"
);

// Custom validity period (default is 365 days)
cert = GenerateSelfSignedCertificate(
	keyPair = keyPair,
	subject = "CN=localhost",
	validityDays = 730 // 2 years
);

// Works with EC keys too
ecKeyPair = GenerateKeyPair( "P-256" );
cert = GenerateSelfSignedCertificate(
	keyPair = ecKeyPair,
	subject = "CN=ec-test.example.com"
);

// Each certificate gets a unique serial number, even when generated rapidly
```







# Categories

[Cryptography](../../categories/crypto.md)

# See Also

[CertificateInfo()](certificateinfo.md), [CertificateToPem()](certificatetopem.md), [GenerateCSR()](generatecsr.md), [GenerateKeyPair()](generatekeypair.md)