Create a self-signed SSL Certificate using OpenSSL in Windows
Preparation
Unfortunately, there is no official OpenSSL client for Windows. However, you could download it from WinOpenSSL.html
Then you can use the OpenSSL utility to generate a Private Key, Certificate Signing Request (CSR) and Self-Signed Certificate.web
Run the openssl.exe in Command Prompt or PowerShell, the executable will be located in folder C:\Program Files\OpenSSL-Win64\bin\ if you install the 64bit version.ide
First Step - Generate a Private Key
-
Enter the following command to create your RSA Private Key:ui
genrsa -des3 -out localhost.key 2048
-
After pressing Enter, you will be asked to enter a pass phrase for the localhost.key. You must type pass phrase in 4 to 1023 characters.this
Generating RSA private key, 2048 bit long modulus (2 primes) ......................................................+++++ ..+++++ e is 65537 (0x010001) Enter pass phrase for localhost.key:
- The localhost.key will be generated in the current folder, this is required later in the procedure.
Second Step - Generate a CSR (Certificate Signing Request)
In order for the self-signed SSL cert to work, you need to provide the Subject Alternative Name to the CSR. The easiest way to provide the subjectAltName is to use a config template when generating the CSR.spa
Example Configuration File3d
[ req ] default_bits = 2048 prompt = no default_md = sha256 distinguished_name = dn req_extensions = req_ext x509_extensions = x509_ext [ dn ] C = SG ST = Singapore L = Seletar O = Rolls-Royce OU = APAC emailAddress = hiroshifuu@outlook.com CN = localhost [ req_ext ] subjectAltName = @alternate_names [ x509_ext ] subjectAltName = @alternate_names [ alternate_names ] DNS.1 = localhost DNS.2 = 127.0.0.1
The command to generate the CSR is as follows:code
req -new -key localhost.key -sha256 -out localhost.csr -config san.cnf
To view the output of the generated CSR enter the following command at the prompt:htm
OpenSSL> req -in localhost.csr -text -noout
Certificate Request:
Data:
Version: 1 (0x0)
Subject: C = SG, ST = Singapore, L = Seletar, O = Rolls-Royce, OU = APAC, emailAddress = hiroshifuu@outlook.com, CN = localhost
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:b2:b0:96:8b:c5:ab:88:0e:5e:9b:d6:7f:e7:25:
4d:8d:56:4b:9b:79:47:81:ee:28:53:38:68:e8:04:
88:0b:d0:ee:a7:60:14:36:59:5b:93:e8:ae:73:4a:
55:7d:88:f5:db:54:cd:2b:40:a8:f3:00:bc:67:c8:
ba:fd:73:60:2a:24:b1:07:09:eb:3a:d5:c3:d5:92:
e9:e6:1d:97:02:1d:b4:2c:b7:8f:e8:df:e2:49:9a:
4c:49:78:6a:c3:1f:4a:55:23:05:06:46:39:0e:75:
a5:45:f4:7f:32:bb:42:26:3a:b2:1c:3a:fa:b5:ce:
6f:97:05:0e:18:af:d6:32:32:33:61:18:75:b1:05:
ed:18:cc:0b:a9:a9:a0:46:46:3e:f8:20:42:21:9b:
01:23:9d:69:63:d8:c4:8d:5e:9d:cf:30:1d:e4:51:
5e:c7:35:dc:a0:07:97:57:1a:84:16:8f:40:9d:0e:
af:77:03:ee:8a:ee:b9:b1:c8:64:56:94:96:f7:f2:
1a:9a:dd:04:b2:ef:7c:8b:08:28:b0:58:7d:21:84:
ae:71:4e:64:ef:aa:0d:97:4a:4e:6b:ab:cc:bb:18:
f9:cf:c9:8e:70:b9:27:c5:f2:b5:d8:7f:92:2d:55:
2c:37:3d:1c:18:1c:d5:33:9f:4c:bb:4b:3a:ca:30:
0f:db
Exponent: 65537 (0x10001)
Attributes:
Requested Extensions:
X509v3 Subject Alternative Name:
DNS:localhost, DNS:127.0.0.1
Signature Algorithm: sha256WithRSAEncryption
ad:85:70:51:27:73:c8:b0:8d:09:ae:69:3f:ee:fc:5a:3d:28:
40:20:4e:56:23:03:9c:4c:7a:46:e8:d4:09:db:28:7c:f1:ac:
10:66:60:9c:38:66:56:89:13:1a:59:b7:ab:59:e6:a7:38:83:
9b:89:77:12:0c:39:ef:60:c9:c0:a6:a2:99:70:0b:52:9b:dc:
c5:81:e2:45:48:32:86:1f:14:7e:92:c6:5b:c2:81:23:33:4d:
23:59:02:66:a5:03:5a:ba:4f:13:ca:d8:de:26:68:ee:bf:db:
6e:73:93:22:3d:a0:6e:c1:45:6a:9d:db:7d:14:ae:4c:2f:a2:
fb:28:5d:3e:d1:54:92:f6:a0:fb:04:1c:87:24:0d:7f:47:36:
7c:2d:26:3a:63:4f:40:03:0a:8e:0e:1e:f9:ea:27:d9:50:0a:
6e:83:ab:df:b0:f6:db:e8:12:0d:19:43:eb:31:cd:d7:f6:5e:
73:61:e9:65:2d:08:45:b8:50:0b:4e:54:a2:aa:d5:1d:24:00:
12:a3:58:a5:d3:39:fa:24:f9:fb:91:4d:2c:23:e6:0b:77:b2:
49:a2:77:d7:62:20:e6:fd:69:93:da:b2:8f:4d:7e:c3:fb:b1:
f7:4d:5b:f9:aa:99:50:9a:d2:e5:a3:a4:cc:df:0f:77:e4:b0:
98:7f:4e:37
Third Step - Generating a Self-Signed Certificate
Then you will use the OpenSSL tool to generate a temporary certificate, if you provide the SAN correctly, it will no longer generate an error in the client browser to the effect that the signing certificate authority is unknown and not trusted.blog
To generate a certificate which is good for 365 days, enter the following command:
x509 -req -days 365 -in localhost.csr -signkey localhost.key -sha256 -out localhost.crt -extfile san.cnf -extensions
To view the output of the generated SSL Certificate enter the following command at the prompt:
OpenSSL> x509 -in localhost.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
52:ad:82:a1:20:c3:17:a6:7d:b2:76:ed:90:ab:4d:52:2a:47:14:5c
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = SG, ST = Singapore, L = Seletar, O = Rolls-Royce, OU = APAC, emailAddress = hiroshifuu@outlook.com, CN = localhost
Validity
Not Before: Jun 13 02:58:15 2019 GMT
Not After : Jun 12 02:58:15 2020 GMT
Subject: C = SG, ST = Singapore, L = Seletar, O = Rolls-Royce, OU = APAC, emailAddress = hiroshifuu@outlook.com, CN = localhost
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:b2:b0:96:8b:c5:ab:88:0e:5e:9b:d6:7f:e7:25:
4d:8d:56:4b:9b:79:47:81:ee:28:53:38:68:e8:04:
88:0b:d0:ee:a7:60:14:36:59:5b:93:e8:ae:73:4a:
55:7d:88:f5:db:54:cd:2b:40:a8:f3:00:bc:67:c8:
ba:fd:73:60:2a:24:b1:07:09:eb:3a:d5:c3:d5:92:
e9:e6:1d:97:02:1d:b4:2c:b7:8f:e8:df:e2:49:9a:
4c:49:78:6a:c3:1f:4a:55:23:05:06:46:39:0e:75:
a5:45:f4:7f:32:bb:42:26:3a:b2:1c:3a:fa:b5:ce:
6f:97:05:0e:18:af:d6:32:32:33:61:18:75:b1:05:
ed:18:cc:0b:a9:a9:a0:46:46:3e:f8:20:42:21:9b:
01:23:9d:69:63:d8:c4:8d:5e:9d:cf:30:1d:e4:51:
5e:c7:35:dc:a0:07:97:57:1a:84:16:8f:40:9d:0e:
af:77:03:ee:8a:ee:b9:b1:c8:64:56:94:96:f7:f2:
1a:9a:dd:04:b2:ef:7c:8b:08:28:b0:58:7d:21:84:
ae:71:4e:64:ef:aa:0d:97:4a:4e:6b:ab:cc:bb:18:
f9:cf:c9:8e:70:b9:27:c5:f2:b5:d8:7f:92:2d:55:
2c:37:3d:1c:18:1c:d5:33:9f:4c:bb:4b:3a:ca:30:
0f:db
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:localhost, DNS:127.0.0.1
Signature Algorithm: sha256WithRSAEncryption
a4:98:fe:3b:f3:2f:11:79:29:3a:60:25:ab:6f:e8:f2:c2:09:
5f:6c:5f:46:08:f2:39:04:bf:e5:bc:36:68:59:cc:48:60:ac:
69:a7:aa:ba:b3:0e:95:72:8c:84:53:aa:ae:b9:22:92:32:48:
2b:e7:e6:c8:73:5a:1f:72:9c:1f:35:52:c7:43:47:98:50:49:
2f:f9:ea:a9:94:fb:b9:1d:be:9a:45:90:17:a2:f2:d7:8d:b8:
66:23:72:f1:4e:f7:c2:07:ea:f3:f2:13:ba:16:cb:12:99:96:
0c:af:8a:f6:4f:cf:8f:b0:b7:44:34:09:7d:ba:59:ae:07:5d:
80:99:c6:b4:8b:96:cb:db:f7:31:e4:f1:b5:17:2e:c8:45:3a:
b9:00:03:0d:db:95:55:7e:bc:8e:a3:81:13:ad:3b:f0:6e:20:
c8:06:f4:05:7a:31:4e:ef:0c:2e:14:67:a1:37:79:92:ca:e6:
1f:cb:56:f9:21:3e:a5:14:cb:07:31:e0:dd:4c:a8:d2:f6:ab:
67:f3:07:63:02:0a:0e:71:1d:41:f1:72:a4:11:57:22:08:a4:
a9:14:40:2a:94:8d:fc:f9:0d:62:43:ff:21:92:18:eb:39:1b:
5e:8f:0f:13:da:27:fd:cd:04:f6:8c:1d:b7:85:79:eb:1a:13:
03:66:85:34
Final Step - Importing Certificate
Hold down the Windows Key and Press R on your keyboard. The run dialog box will open. Type in mmc then press ENTER.
The Certificate Manager will open then import the localhost.csr into Trust Root Certification Authorities.
From now, your browser will not make complain anymore. (You may need to import the cert in Chrome as well).
