Openssl Generate Key And Self Signed Certificate

  1. Openssl Self Signed Certificate Ca
  2. Generate Self Signed Ssl Certificate

How to create & sign SSL/TLS certificates TECH SCHOOL. Apr 12 ・10 min read. We’ve talked about how digital certificates help with authentication and provide a safe and reliable key exchange process in TLS. Today we will learn exactly how to generate a certificate and have it signed by a Certificate Authority (CA). Generating a self-signed certificate with OpenSSL: Win32 OpenSSL v1.1.0+ for Windows can be found here. Open Windows File Explorer. Navigate to the OpenSSL bin directory. C:OpenSSLbin in our example. Right-click the openssl.exe file and select Run as administrator.

This repository has been archived by the owner. It is now read-only.

Online Service

Cert-Depot - It can create certificates in both unencrypted PEM format, and PFX.

Openssl Generate Key And Self Signed Certificate


  • Install openssl package for your operating system from here
  • Generating a private key: openssl genrsa 2048 > private.pem
  • Generating the self signed certificate: openssl req -x509 -new -key private.pem -out public.pem
  • If required, creating PFX: openssl pkcs12 -export -in public.pem -inkey private.pem -out mycert.pfx
Clone this wiki locally
Use openssl to create an x509 self-signed certificate authority (CA), certificate signing request (CSR), and resulting private key with IP SAN and DNS SAN

Openssl Self Signed Certificate Ca

# Define where to store the generated certs and metadata.
# Optional: Ensure the target directory exists and is empty.
rm -rf '${DIR}'
mkdir -p '${DIR}'
# Create the openssl configuration file. This is used for both generating
# the certificate as well as for specifying the extensions. It aims in favor
# of automation, so the DN is encoding and not prompted.
cat >'${DIR}/openssl.cnf'<<EOF
default_bits = 2048
encrypt_key = no # Change to encrypt the private key using des3 or similar
default_md = sha256
prompt = no
utf8 = yes
# Speify the DN here so we aren't prompted (along with prompt = no above).
distinguished_name = req_distinguished_name
# Extensions for SAN IP and SAN DNS
req_extensions = v3_req
# Be sure to update the subject to match your organization.
C = US
ST = California
L = The Cloud
O = Demo
CN = My Certificate
# Allow client and server auth. You may want to only allow server auth.
# Link to SAN names.
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, serverAuth
subjectAltName = @alt_names
# Alternative names are specified as IP.# and DNS.# for IP addresses and
# DNS accordingly.
IP.1 =
DNS.1 =
# Create the certificate authority (CA). This will be a self-signed CA, and this
# command generates both the private key and the certificate. You may want to
# adjust the number of bits (4096 is a bit more secure, but not supported in all
# places at the time of this publication).
# To put a password on the key, remove the -nodes option.
# Be sure to update the subject to match your organization.
openssl req
-newkey rsa:2048
-days 120
-subj '/C=US/ST=California/L=The Cloud/O=My Company CA'
-keyout '${DIR}/ca.key'
-out '${DIR}/ca.crt'
# For each server/service you want to secure with your CA, repeat the
# following steps:
# Generate the private key for the service. Again, you may want to increase
# the bits to 4096.
openssl genrsa -out '${DIR}/my-service.key' 2048
# Generate a CSR using the configuration and the key just generated. We will
# give this CSR to our CA to sign.
openssl req
-new -key '${DIR}/my-service.key'
-out '${DIR}/my-service.csr'
-config '${DIR}/openssl.cnf'
# Sign the CSR with our CA. This will generate a new certificate that is signed
# by our CA.
openssl x509
-days 120
-in '${DIR}/my-service.csr'
-CA '${DIR}/ca.crt'
-CAkey '${DIR}/ca.key'
-extensions v3_req
-extfile '${DIR}/openssl.cnf'
-out '${DIR}/my-service.crt'
# (Optional) Verify the certificate.
openssl x509 -in '${DIR}/my-service.crt' -noout -text
# Here is a sample response (truncate):
# Certificate:
# Signature Algorithm: sha256WithRSAEncryption
# Issuer: C = US, ST = California, L = The Cloud, O = My Organization CA
# Subject: C = US, ST = California, L = The Cloud, O = Demo, CN = My Certificate
# # ...
# X509v3 extensions:
# X509v3 Basic Constraints:
# X509v3 Subject Key Identifier:
# 36:7E:F0:3D:93:C6:ED:02:22:A9:3D:FF:18:B6:63:5F:20:52:6E:2E
# X509v3 Key Usage:
# Digital Signature, Key Encipherment
# X509v3 Extended Key Usage:
# TLS Web Client Authentication, TLS Web Server Authentication
# X509v3 Subject Alternative Name:
# IP Address:,
Openssl verify self signed certificate

Generate Self Signed Ssl Certificate

Sign up for freeto join this conversation on GitHub. Already have an account? Sign in to comment