How to Create self-signed certificates use OpenSSL


Create, Sign and Manage Certificate using OpenSSL

OpenSSL is a versatile command line tool that can be used for a variety of cryptographic tasks related to Public Key Infrastructure (PKI) and HTTPS (HTTP over TLS).

This tutorial shows how to use OpenSSL for certificates used for asymmetric encryption in beta and test tasks used for internal or development environments. The associated CSR Certificate Signing Request certificates are not worthwhile for testing purposes issued by a Trusted CA certificate issuer. For this purpose, in an example, the generation of a private key with certificate issuance and its signing.

Create a self-signed certificate

openssl genrsa -out priv.key 4096
openssl req -new -nodes -sha256 -key priv.key -out cert.csr
openssl x509 -req -sha256 -days 3650 -in cert.csr -signkey priv.key -out cert.crt

In this example, a private key with a length of 4096 bits is generated, which is valid for 10 years, the X509 Distinguished Key Identifiers are defined, with the encryption of the SHA256 algorithm, finally the certificate is self-signed.

openssl genrsa -out priv.key 4096
Generating RSA private key, 4096 bit long modulus
e is 65537 (0x010001)
PS C:temp> openssl req -new -nodes -sha256 -key priv.key -out cert.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:CH
State or Province Name (full name) [Some-State]:ZRH
Locality Name (eg, city) []:ZURICH
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Cyber Lab Ltd.
Organizational Unit Name (eg, section) []:D evOps Root CA Cert Authority
Common Name (e.g. server FQDN or YOUR name) []
Email Address []

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:1234
An optional company name []:1234

The self-signed certificate generated in this way is used for cryptographic encryption for HTTPS / TLS server and client, code signing, IP End Point Security (SSL-VPN) or for S/MIME e-mail.

The certificate cert.crt is then imported into the certificate store, this to Trusted Root Certification Authorities and to The Own Certificates.

Figure: Certificates snap-in

OpenSSL – Open Secure Socket Layer protocol is standard on most Linux distributions, the Windows binaries are available on sourceforge.

XCA – X Certificate Key Management

If you are not familiar with the OpenSSL command line tool, you can use the X Certificate – xca tool, which offers all options in a GUI.

X Certificate and Key Management is an interface for managing asymmetric keys such as RSA or DSA. It is intended for the creation and signing of certificates. The cryptographic operations use the OpenSSL library.


  • Start own PKI and create all kinds of certificates, requests or CRLs
  • Import and export in any format like PEM, DER, PKCS#7, PKCS#12
  • Use them for your IPsec, OpenVPN, HTTPs or any other certificate based setup
  • Manage your Smart-Cards via PKCS#11 interface
  • Export certificates and requests to an OpenSSL config file
  • Create Subject- and/or Extension- templates to ease issuing similar certs
  • Convert existing certificates or requests to templates
  • Get the broad support of x509v3 extensions as flexible as OpenSSL but user friendlier
  • Adapt the Columns to have your important information at a glance

Download at sourceforge

Figure: X Certificate and Key management

Before keys and certificates can be generated, a database must <Ctrl+N> be created.<Ctrl+N> After generating a private key, a new certificate can be generated. The private keys should be kept password protected. If a private key becomes available for unauthorized ones, the certificate is no longer secure and must be replaced.

Verify key and certificate

Check and output private key

openssl rsa -check -in priv.key

View Certificate

openssl x509 -noout -text -in cert.crt

Certificate Signing Request Check and output

openssl req -text -noout -verify -in cert.csr

Verification of the private key, the CSR and the certificate for authenticity.

openssl rsa -noout -modulus -in priv.key | openssl md5
openssl x509 -noout -modulus -in cert.crt | openssl md5
openssl req -noout -modulus -in cert.csr | openssl md5

If the output of each command is identical, there is a very high probability that the certificate and CSR are related to the private key.


OpenSSL is the versatile Swiss Army Knife that can be used for a variety of cryptographic tasks for asymmetric encryption, from generating a private key with certificate issuance and signing, to verifying authenticity with testing of connectivity.

How useful was this post?

Click on a star to rate it!

Average rating 5 / 5. Vote count: 1

No votes so far! Be the first to rate this post.

Leave a Reply

Your email address will not be published. Required fields are marked *