Creating Self Signed Certificate Openssl

Execute the following command to generate the new self-signed certificate for the certificate authority: openssl req -new -x509 -days 3650 -key ca.key -out ca.crt The -x509 option outputs a self-signed certificate instead of a certificate request. This is an 8 minute video on one of the ways to create a self signed certificate in Ubuntu. We basically go over this command sudo openssl req.


Self signed SSL certificates are helpful in development and testing effort of many applications requiring SSL. Below are prescriptive steps on how you can create these certificates for yourself.

Alternatively, if you would like to have everything done for you, you can also use the SSL Certificates Generator tool.

Note that token enclosed by << and >> means that user will have to input a value in substitution there.


1. Download the latest OpenSSL for Windows (at the time of this writing: Win64 OpenSSL v1.1.1b Light) from Shining Light Productions and install OpenSSL into the default location of C:Program FilesOpenSSL-Win64 and selecting “Copy System Library to bin Directory” during install.

2. (optional – for creating Java keystore later) Download and install Java Development Kit (at the time of thie writing: JDK 1.8.0 u191) into the default location of C:Program FilesJavajdk1.8.0_191

3. Start a Command Prompt As Administrator and run the commands below.

Generate Root Certificate Authority (CA) Certificate

1. Generate Root CA private key

2. Generate Root CA public certificate

3. (optional) Verify Root CA Certificate

4. (optional) Create Java keystore for applications that require Java keystore

Generate Server Certificate

1. Generate server private key

2. Generate server certificate signing request (CSR)

Note: It is important to populate the Common Name (CN) above with the right DNS and IP. If you have several sub-domains that you need to support with a single certificate, you can use a wildcard CN like <<*>>. Alternatively, you can also use alternate names by creating/editing openssl.cnf and add/edit the below.

3. (optional) Verify server CSR

4. Sign and generate server public certificate

5. (optional) Verify server public certificate

6. Generate .P12 for server

Openssl Generate Self Signed Certificate

7. (optional) Verify server .P12

Generate Client Certificate

1. Generate client private key

2. Generate client certificate signing request (CSR)

3. (optional) Verify client CSR

4. Sign and generate client public certificate

Create Self Signed Certificate Openssl Windows Pfx

5. (optional) Verify client public certificate

6. Generate .P12 for client

Create Self Signed Certificate Openssl Centos 7

7. (optional) Verify server .P12

Openssl Self Signed Certificate No Input


At the end of this exercise, you will have the following certificates