Creating a Self-Signed SSL Certificate

Creating a Self-Signed SSL certificate is a nice option when you need to run a quick https test for a web site. Lets take a look on how we can make one.

I’ll be using OpenSSL toolkit. I’m on Windows therefore package can be ataken from here:
“openssl-0.9.8h-1-setup.exe” executable by default drops everything here: “C:\Program Files\GnuWin32\bin”. Or, if you are on 64 bit OS, then here: “C:\Program Files (x86)\GnuWin32\bin”.

OpenSSL package comes with a default config file – openssl.cnf. It is located in the “share” folder, in my case here: “C:\Program Files\GnuWin32\share”. Config file holds important settings that are used to generate the certificate. We need toΒ  comment “attributes” parameter line, otherwise an error will be presented. I also set the default length to 2048, but this one can be controlled with the command line parameters:

We need to create an environment variable so that Openssl.exe could find the config file.
Open cmd and type: set OPENSSL_CONF=C:\Program Files\GnuWin32\share\openssl.cnf

Now, navigate to the openssl.exe location: cd “C:\Program Files\GnuWin32\bin”. We will be doing everything from here.

So, normaly you would generate your Private key and a Certificate Signing Request (CSR) on your Web server and send them to the certificate authority, but here we’ll be doing everything in one place.

Just to remind you, SSL is using a Private/Public key pair – data is encrypted by one key but can only be decrypted by the other key of the pair. So, the very first step is to create a Private Key:
openssl genrsa -out server.key 2048
OpenSSL3The higher the bit length of your key, the higher the security level. A 2048-bit key is the minimum these days [1024 is not secure anymore]. Here’s how my Private key looks:

Obveously you should never show your Private key to anyone πŸ™‚

Next, we need a CSR. A Certificate Signing Request is an encrypted text that contains information that will be included in your certificate such as your organization name, common name, country, etc.
Release the below command and answer all the questions, pay attention to the Common Name, this is your Web server address:
openssl req -new -key server.key -out server.csr

Here is how my CSR request looks:

Now we are ready to perform a CA role. We will generate a certificate based on the settings in the CSR request:
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

Certificate [that now holds the Public Key] has been created in the bin folder:

We are almost there πŸ™‚

There is one important thing missing – our created SSL certificate [with the Public Key] is separated from the Private Key. We need to combine both in a so called PFX file. The PFX file is a PKCS#12 archive that contains a certificate [Public Key] and the corresponding Private Key protected by a password. PFX can be used in IIS. So lets do it:
openssl pkcs12 -export -in server.crt -inkey server.key -out server.pfx

If wee look to the bin folder we should see among others the PFX file created:

Now you can copy the PFX file to your Web server and import it to a Computers’ account Personal store:

And if you open the certificate you’ll see that now it also holds the Private Key:

Done πŸ™‚


Leave a Comment here

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s