Skip to content

Generating Self-Signed Certificates with OpenSSL

Overview

This guide will show you how to generate self-signed certificates using OpenSSL.

Generating a Self-Signed Certificate (PEM)

Generate a self-signed certificate and private key in PEM format:

Terminal window
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out certificate.pem -days 365

Generate a self-signed certificate and private key in PEM format (no encryption/password):

Terminal window
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out certificate.pem -days 365 -nodes

Generating a Self-Signed Certificate (PKCS#12)

Generate a self-signed certificate and private key in PKCS#12 format:

Terminal window
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out certificate.pem -days 365
openssl pkcs12 -export -out certificate.pfx -inkey key.pem -in certificate.pem

Generate a self-signed certificate and private key in PKCS#12 format (no encryption/password):

Terminal window
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out certificate.pem -days 365 -nodes
openssl pkcs12 -export -out certificate.pfx -inkey key.pem -in certificate.pem -nodes

Generating a Self-Signed Certificate with Subject Alternative Names (SAN)

Generate a self-signed certificate with SAN in PEM format:

Terminal window
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out certificate.pem -days 365 -nodes -subj "/CN=example.com" -addext "subjectAltName=DNS:example.com,DNS:www.example.com"

IP Subject Alternative Names can be added like this:

Terminal window
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out certificate.pem -days 365 -nodes -subj "/CN=example.com" -addext "subjectAltName=DNS:example.com,IP:192.168.1.1"