Osarobo_Idehen

OpenSSL: Generating Self-Signed Certificate

Blog Post created by Osarobo_Idehen Employee on Nov 18, 2016

When trying to run openssl commands to generate certs you may run into the following error:

"WARNING: can't open config file: /usr/local/ssl/openssl.cnf"

To work around this just run the following in the command window:

set OPENSSL_CONF=c:\[PATH TO YOUR OPENSSL DIRECTORY]\bin\openssl.cfg

For example: set OPENSSL_CONF=C:\OpenSSL-Win32\bin\openssl.cfg

Remember that everytime you open a command prompt you have to run the above command unless you set this as your environment variable.


OpenSSL commands examples for generating the self-signed certificate:

1) Generate the private key:

openssl genrsa -out privatekey.pem 2048

 

2) Generate CSR (Certificate Signing Request) using this private key:

openssl req -new -key privatekey.pem -out certreq.pem

 

3) Use this certificate request (CSR) to request a certifcate from a Certificate Authority (CA) (like Verisign, etc or some internal CA server like Microsoft or Netscape Certificate Service or openssl for self-signed cert). For the CA server like MS CA server, you would go to the cert server's page via the browser to submit the request. For openssl to create a self-signed cert example is:

openssl x509 -req -days 365 -in certreq.pem -signkey privatekey.pem -out cert.pem

 

4) Convert the cert from PEM to DER format:

openssl x509 -in cert.pem -out cert.cer -outform DER

 

5) Convert the private key to DER format also:

openssl pkcs8 -topk8 -in privatekey.pem -outform DER -out privatekey.der

 

2. CONVERT pkcs12 to pem

 

3. openssl pkcs12 -clcerts -nokeys -in cert.p12 -out usercert.pem

4. openssl pkcs12 -nocerts -in cert.p12 -out userkey.pem

 

5. CONVERT pem to pkcs12

 

6. openssl pkcs12 -export -out cert.p12 -inkey ./userkey.pem -in ./usercert.pem

Outcomes