OpenSSL: Self-signed CA and certificates

Posted on Updated on

I’ve found so many pages about this topic, each offer different styles and multiple commands. It’s quit confusing, so I created 2 simple one-liner for it on windows.
For Windows, you need to have OpenSSL installed. Choose the latest lite-msi.
If you on FreeBSD or Linux, it’s probably already installed.

Open a command prompt cmd in a folder of your choice.
First we create our own root CA (root certification authority).

1. Self root CA

"C:\Program Files\OpenSSL-Win64\bin\openssl" req -x509 -nodes -newkey RSA:2048 -keyout selfCA.key -days 3650 -out selfCA.crt -subj "/C=SG" -addext "basicConstraints = CA:true" -addext extendedKeyUsage=serverAuth,clientAuth,codeSigning,emailProtection

-days 3650 # validity
-keyout selfCA.key # CA private key
-out selfCA.crt # CA certificate
-subj “/C=SG” # add your own country code here!
-addext “basicConstraints = CA:true” # required for a root CA.
-addext extendedKeyUsage=serverAuth,clientAuth,codeSigning,emailProtection
This will create selfCA.key and selfCA.crt in your folder.

Optional, you can now install this root CA, so the web-browser won’t complain about an untrusted CA.
In Explorer, find your selfCA.crt and open it. You should see that it’s not trusted (yet).

Install it under “Local Machine

Place it under “Trusted Root Certification Authorities

When completed, open the selfCA.crt in Explorer again and verify it’s now trusted.

2. Self-signed certificate with SAN

Example for self-signed certificate with alternative names (SAN)

"C:\Program Files\OpenSSL-Win64\bin\openssl" req -x509 -newkey rsa:2048 -sha256 -days 2920 -nodes -keyout self.key -out self.crt -subj "/CN=domain.myself" -addext "subjectAltName=DNS:domain.myself,DNS:localhost,IP:127.0.0.1" -addext "basicConstraints = CA:false" -CA selfCA.crt -CAkey selfCA.key

-days 2920 # validity
-keyout self.key # the private key
-out self.crt # the certificate
-subj “/CN=domain.myself” # primary domain name
-addext “subjectAltName=DNS:domain.myself,DNS:localhost,IP:127.0.0.1”
-addext “basicConstraints = CA:false” # required for a certificate.
-CA selfCA.crt # signing CA certificate
-CAkey selfCA.key # signing CA key
This will create self.key and self.crt in your folder and can be added to the webserver’s configuration.

To verify self.crt, open it in Explorer or use openssl command:

openssl verify -CAfile selfCA.crt self.crt


Leave a Reply

Your email address will not be published. Required fields are marked *