A self-signed certificate is a certificate that is signed by the same entity that created it, using its private key, without the involvement of a trusted certificate authority. This guide provides step-by-step instructions to create a self-signed SSL/HTTPS certificate using OpenSSL and PowerShell.
Table of contents
1. Prerequisites
- OpenSSL / PowerShell
- Windows / Linux / Mac
2. Step-by-Step Guide to Generating a Self-Signed Certificate Using OpenSSL
Step 1: Open Your Command Line
Open your terminal (Linux, macOS) or command prompt (Windows). Ensure you have OpenSSL access by typing:
openssl version
BAT (Batchfile)If it returns a version number, OpenSSL is installed. If not, you’ll need to install it.
Step 2: Generate a Private Key
A private key is needed to generate the certificate. This key will be used to encrypt and secure the connection.
Type the following command to create a 2048-bit RSA private key:
openssl genpkey -algorithm RSA -out private.key -pkeyopt rsa_keygen_bits:2048 -aes256
BAT (Batchfile)Option | Description |
---|---|
-algorithm RSA | specifies the RSA algorithm. |
-out private.key | saves the key as a file named private.key. |
-pkeyopt rsa_keygen_bits:2048 | Specifies the key length as 2048 bits |
-aes256 | adds encryption to the key for added security. You’ll be prompted to set a passphrase; remember this, as it will be needed to access the key. |
Step 3: Create a Certificate Signing Request (CSR)
The CSR is required by Certificate Authorities to validate your information. Since we’re self-signing, we’ll still need this for setting up the certificate.
Run this command to generate a CSR:
openssl req -new -key private.key -out request.csr
BAT (Batchfile)You’ll be asked several questions:
Option | Description |
---|---|
Country Name: | Two-letter country code (e.g., “US” for the United States). |
State/Province Name: | Full name of your state or province. |
Locality Name: | Your city name. |
Organization Name: | Your company’s legal name or your own name. |
Organizational Unit Name: | Department (optional). |
Common Name: | The fully qualified domain name (FQDN) of the server (e.g., example.com). To create wildcard certificate. * Can be used. ( eg: *.example.com ) |
Email Address: | Your contact email. |
important Note: If you are creating certificate for only one domain then follow the step 4 and skip step 5 & 6 and if you want to create certificate for multiple domains, then skip step 4 and follow step 5 & 6
Step 4: Generate the Self-Signed Certificate
Now, we’ll create the certificate itself, which will be valid for 365 days.
Run this command:
openssl x509 -req -days 365 -in request.csr -signkey private.key -out certificate.crt
BAT (Batchfile)In case if you want to add multiple domain names you can follow this step.
Option | Description |
---|---|
x509 | tells OpenSSL to create a certificate. |
-req | specifies that this will use the CSR file. |
-days 365 | sets the certificate to expire in 365 days (you can change this number). |
-in request.csr | points to your CSR file |
-signkey private.key | uses your private key to sign the certificate. |
-out certificate.crt | creates the certificate as certificate.crt. |
Step 5: Create the Extension File
First, create an extension file that contains the Subject Alternative Names (SANs).
For Linux and Windows, create a text file named san.ext with the following content:
subjectAltName=DNS:example.com,DNS:www.example.com,DNS:example2.com
PlaintextStep 6: Generate a Self-Signed Certificate with SAN
Once the san.ext file has been created, you can use it with the -extfile flag to generate the self-signed certificate. The command is the same on both Linux, Mac, Windows:
openssl x509 -req -days 365 -in request.csr -signkey private.key -out certificate.crt -extfile san.ext
PlaintextOption | Description |
---|---|
-req: | Indicates that the input is a CSR. |
-days 365: | Sets the validity period of the certificate. |
-in request.csr: | Specifies the CSR file. |
-signkey private.key | Uses the private key to sign the certificate. |
-extfile san.ext | Specifies the extension file with the SAN information. |
Step 7: Verify the Certificate
You can check the certificate details with the following command:
openssl x509 -in certificate.crt -text -noout
BAT (Batchfile)Step 8: Export to PFX File
After creating the .crt certificate and .key file, you can combine them into a .pfx file using this command:
openssl pkcs12 -export -out certificate.pfx -inkey private.key -in certificate.crt
BAT (Batchfile)Option | Description |
---|---|
pkcs12 -export: | This tells OpenSSL to create a PKCS#12 file, which has the .pfx extension. |
-out certificate.pfx: | Specifies the name of the output .pfx file. |
-inkey private.key: | Specifies the private key file. |
-in certificate.crt: | Specifies the certificate file. |
You’ll be prompted to enter an export password, which will protect the .pfx file. Remember this password, as you’ll need it when importing the .pfx file into a server.
3. Step-by-Step Guide to Generating a Self-Signed Certificate Using PowerShell
In this guide, we will create an HTTPS / SSL certificate using PowerShell. This type of certificate is used to ensure secure communication over an HTTP server, like a website or a web service. HTTPS certificates are essential to encrypt the data and verify the server’s identity to the client.
Step 1: Open PowerShell as Administrator
- Press the Start button.
- Type PowerShell in the search bar.
- Right-click on Windows PowerShell and select Run as administrator.
Note: Running PowerShell as an administrator is essential to ensure you have the correct permissions to create and manage certificates.
Step 2: Use the New-SelfSignedCertificate Cmdlet to Create an HTTPS Certificate
To generate an HTTPS / SSL certificate, we will use the New-SelfSignedCertificate command in PowerShell. This certificate will be used for an HTTPS server to authenticate itself and provide a secure connection.
$cert = New-SelfSignedCertificate -DnsName "myhttpsdomain.com" -CertStoreLocation "Cert:\LocalMachine\My" -KeyUsage DigitalSignature, KeyEncipherment -Type SSLServerAuthentication
PowerShellOption | Description |
---|---|
$cert: | This variable stores the newly created certificate object, which includes the Thumbprint. |
-DnsName: | This is the domain or hostname the certificate will be used for. In this example, “myhttpsdomain.com” is used. Replace this with your own domain or server name. For multiple domains, it should be written like “myhttpsdomain.com”, “www.myhttpsdomain.com”. For Wildcard certificate, it should be written like *.myhttpsdomain.com. |
-CertStoreLocation: | Specifies where the certificate will be stored. “Cert:\LocalMachine\My” indicates that the certificate is saved in the Local Machine’s Personal certificate store. |
-KeyUsage: | DigitalSignature: Used for signing digital data. KeyEncipherment: Used to securely exchange keys during communication. |
-Type SSLServerAuthentication: | Indicates that the certificate will be used for SSL server authentication. |
Step 3: Capture the Thumbprint
Since we stored the certificate object in the $cert variable, we can easily retrieve the Thumbprint without having to search through a list of certificates.
$thumbprint = $cert.Thumbprint
PowerShellThis command extracts the Thumbprint from the certificate object and saves it into a variable called $thumbprint
Step 4: Export the HTTPS / SSL Certificate to a PFX File
Next, we’ll export the certificate to a PFX file. This step is useful if you need to move the certificate to another server or use it with another application.
First, create a password for the PFX file. This password will protect the private key included in the PFX file:
$password = ConvertTo-SecureString -String "YourPasswordHere" -Force -AsPlainText
PowerShellNow, use the Export-PfxCertificate command to export the certificate:
Export-PfxCertificate -Cert "Cert:\LocalMachine\My\$thumbprint" -FilePath "C:\MyHttpsCertificate.pfx" -Password $password
PowerShellOption | Description |
---|---|
-Cert: | Uses the Thumbprint we saved to identify the correct certificate in the store. |
-FilePath: | Specifies the file path where the PFX file will be saved. In this example, it will be saved as “C:\MyHttpsCertificate.pfx”. |
–Password: | Protects the PFX file with the password that was set earlier. |
Complete PowerShell script to create HTTPS / SSL certificate
# Step 1: Create the HTTPS certificate and save it to a variable
$cert = New-SelfSignedCertificate -DnsName "myhttpsdomain.com" -CertStoreLocation "Cert:\LocalMachine\My" -KeyUsage DigitalSignature, KeyEncipherment -Type SSLServerAuthentication
# Step 2: Capture the thumbprint of the certificate
$thumbprint = $cert.Thumbprint
# Step 3: Set a password for exporting the certificate
$password = ConvertTo-SecureString -String "YourPasswordHere" -Force -AsPlainText
# Step 4: Export the certificate to a PFX file in C drive
Export-PfxCertificate -Cert "Cert:\LocalMachine\My\$thumbprint" -FilePath "C:\MyHttpsCertificate.pfx" -Password $password
# Step 6: Verify the certificate installation
Get-ChildItem -Path "Cert:\LocalMachine\My" | Where-Object { $_.Thumbprint -eq $thumbprint }
PowerShell