Creating Self Signed Certificate Openssl

Creating a self-signed certificate. The program we need to create a self-signed certificate using openSSL is called openssl.exe and is located in C: OpenSSL-Win64 bin. Make sure to run your console as an administrator in order to be able to create any certificates. If you configured your openSSL directory in your system path, that’s fine. Navigate to your IoT Hub in the Azure portal and create a new IoT device identity with the following characteristics: Provide the Device ID that matches the subject name of your two certificates. Select the X.509 Self-Signed authentication type. Paste the hex string thumbprints that you copied from your device primary and secondary certificates.

What is a self-signed SSL certificate? A self-signed certificate is a certificate that is not signed by a trusted authority.

Nevertheless, the self-signed certificate provides the same level of encryption as a $100500 certificate signed by a trusted authority.

In this article i will show how to create a self-signed certificate that can be used for non-production or internal applications.

Cool Tip: Check the expiration date of the SSL Certificate from the Linux command line! The fastest way! Read more →

Creating Self Signed Certificate Openssl

Create Self-Signed Certificate

Generate self-signed certificate using openssl:

Create Self-signed Certificate Openssl Windows

Options that you might want to change while creating a self-signed certificate:

-newkey rsa:4096Generate a 4096 bit RSA key.
-keyout key.pemSave a key to the key.pem file.
-out cert.pemSave a certificate to the cert.pem file.
-nodesDo not protect the private key with a passphrase.
-days 365The number of days to make a certificate valid for.
-subj '/CN=localhost'Use this option to suppress questions about the contents of the certificate. Replace localhost with your desired domain name.

Self signed SSL certificates are helpful in development and testing effort of many applications requiring SSL. Below are prescriptive steps on how you can create these certificates for yourself.

Alternatively, if you would like to have everything done for you, you can also use the SSL Certificates Generator tool.

Note that token enclosed by << and >> means that user will have to input a value in substitution there.


1. Download the latest OpenSSL for Windows (at the time of this writing: Win64 OpenSSL v1.1.1b Light) from Shining Light Productions and install OpenSSL into the default location of C:Program FilesOpenSSL-Win64 and selecting “Copy System Library to bin Directory” during install.

2. (optional – for creating Java keystore later) Download and install Java Development Kit (at the time of thie writing: JDK 1.8.0 u191) into the default location of C:Program FilesJavajdk1.8.0_191

3. Start a Command Prompt As Administrator and run the commands below.

Generate Root Certificate Authority (CA) Certificate

1. Generate Root CA private key

2. Generate Root CA public certificate


Generate Self Signed Ssl Certificate With Openssl

3. (optional) Verify Root CA Certificate

4. (optional) Create Java keystore for applications that require Java keystore

Generate Server Certificate

1. Generate server private key

2. Generate server certificate signing request (CSR)

Note: It is important to populate the Common Name (CN) above with the right DNS and IP. If you have several sub-domains that you need to support with a single certificate, you can use a wildcard CN like <<*>>. Alternatively, you can also use alternate names by creating/editing openssl.cnf and add/edit the below.

3. (optional) Verify server CSR

Create self signed certificate openssl centos 7

4. Sign and generate server public certificate

5. (optional) Verify server public certificate

6. Generate .P12 for server

7. (optional) Verify server .P12

Create Self Signed Certificate Openssl Windows 10

Generate Client Certificate

1. Generate client private key

2. Generate client certificate signing request (CSR)

3. (optional) Verify client CSR

4. Sign and generate client public certificate

5. (optional) Verify client public certificate

6. Generate .P12 for client

7. (optional) Verify server .P12


Creating A Self Signed Certificate Openssl

At the end of this exercise, you will have the following certificates