Generating Self Signed SSL Certificate using OpenSSL on Windows machine

In my last post , we had learned How To Generate CSR using OpenSSL

Now when we have created CSR , we will use this CSR (Certificate Signing Request) to create a Self Signed Certificate.

So Lets get Ready for 

Generating Self Signed SSL Certificate using OpenSSL on Windows

For generating a Self Signed Certificate using OpenSSL on a windows machine we need following 3 things : 

• OpenSSL installed on the machine.
• A root CA (Certification Authority
• A Private Key
• A CSR file

We have already created a CSR in my last post but here we will create another CSR after we create the CA and Intermediate CA in OpenSSL

Creating Root CA in OpenSSL

For creating a Root CA in OpenSSL follow these steps from your OpenSSL console in Command Prompt.

1. Generate Root CA key through this command 

           genrsa -out lalitca.key 4096

         This command will generate a 4096 bit strong RSA key for our Root CA 

         and will store it in key file with name lalitca.key.

Note : If you want to password protect this key , simply add the -des3 option in the above command. For the sake of simplicity I have just skipped this option.

2. Now based on this CA Key we will create our Root CA certificate. We will have to give our Root CA an identity like Country, State, Location, Organization, OU, CommonName etc. Put in all this information carefully.

           req -new -x509 -days 3652 -key Lalitca.key -out Lalitca.crt

Note :  We using -x509 switch to create self-signed certificate and -days 3652 switch insures that this RootCA certificate will be valid for 10 years.

Now we have the Root CA in place. We are all set to create a CSR which will be used to create a self Signed certificate signed by this Root CA.

Creating a CSR 

Execute following 2 commands in same order to generate Private Key and CSR file.

                               genrsa -out test.key 4096

                         req -new -key test.key -out test.csr

Put in all required information again (Country, State, Location, Organization, Organization Unit, Common Name) Etc.

Note : Make sure you give a different Common Name (in this step) than Root CA. Otherwise you will run in to an error at later stage.

Now we have all 3 things in place (OpenSSL, RootCA and CSR). Its now time to generate our first Self-Signed certificate from OpenSSL.

Execute following command to create the certificate based on CSR and get it signed by RootCA we created in above steps.

x509 -req -days 1095 -in test.csr -CA lalitCA.crt -CAkey lalitca.key -set_serial 01 -out lalit.crt

This command will give you results like following : 

Signature ok

subject=C = US, ST = Arizona, L = Tempe, O = Lalit, CN = web.lalitgolani.com

Getting CA Private Key

And that's it.

You have successfully created your RootCA and first Self-Signed certificate using OpenSSL on a windows Machine.

In my next post , I will show how to convert the .CRT file in to .P12 (PFX) file and install it on IIS.