OpenSSL: Generating Self-Signed Certificate

Blog Post created by Osarobo_Idehen Employee on Nov 18, 2016

When trying to run openssl commands to generate certs you may run into the following error:

"WARNING: can't open config file: /usr/local/ssl/openssl.cnf"

To work around this just run the following in the command window:


For example: set OPENSSL_CONF=C:\OpenSSL-Win32\bin\openssl.cfg

Remember that everytime you open a command prompt you have to run the above command unless you set this as your environment variable.

OpenSSL commands examples for generating the self-signed certificate:

1) Generate the private key:

openssl genrsa -out privatekey.pem 2048


2) Generate CSR (Certificate Signing Request) using this private key:

openssl req -new -key privatekey.pem -out certreq.pem


3) Use this certificate request (CSR) to request a certifcate from a Certificate Authority (CA) (like Verisign, etc or some internal CA server like Microsoft or Netscape Certificate Service or openssl for self-signed cert). For the CA server like MS CA server, you would go to the cert server's page via the browser to submit the request. For openssl to create a self-signed cert example is:

openssl x509 -req -days 365 -in certreq.pem -signkey privatekey.pem -out cert.pem


4) Convert the cert from PEM to DER format:

openssl x509 -in cert.pem -out cert.cer -outform DER


5) Convert the private key to DER format also:

openssl pkcs8 -topk8 -in privatekey.pem -outform DER -out privatekey.der


2. CONVERT pkcs12 to pem


3. openssl pkcs12 -clcerts -nokeys -in cert.p12 -out usercert.pem

4. openssl pkcs12 -nocerts -in cert.p12 -out userkey.pem


5. CONVERT pem to pkcs12


6. openssl pkcs12 -export -out cert.p12 -inkey ./userkey.pem -in ./usercert.pem