Generating TLS Certificates and Keys

This page includes examples and sample procedures to show how to create self-signed certificates and keys. The commands shown allow many other possible options not used in these examples. Create commands based on your specific environment.

For more detailed information on creating signed certificates, OpenSSL recommends the OpenSSL Cookbook. You can download this book for free.

Create a Certificate Authority Private Key and Public Certificate

Create a Certificate Authority (CA) private key and public certificate. For more information on using the following commands, see the OpenSSL documentation.

The example below shows how to create a self-signed certificate. In a production environment, you should always use certificates signed by a Certificate Authority.

(missing or bad snippet)
  1. Generate CA files serverca.crt and servercakey.pem. This allows the signing of server and client keys:
    $ openssl genrsa -out servercakey.pem
    $ openssl req -new -x509 -key servercakey.pem -out serverca.crt
  1. Create the server private key (server.crt) and public key (server.key):
    $ openssl genrsa -out server.key
    $ openssl req -new -key server.key -out server_reqout.txt
    $ openssl x509 -req -in server_reqout.txt -days 3650 -sha256 -CAcreateserial -CA serverca.crt -CAkey servercakey.pem -out server.crt
  1. Create the client private key (client.crt) and public key (client.key):
    $ openssl genrsa -out client.key
    $ openssl req -new -key client.key -out client_reqout.txt
    $ openssl x509 -req -in client_reqout.txt -days 3650 -sha256 -CAcreateserial -CA serverca.crt -CAkey servercakey.pem -out client.crt		
  1. Set file permissions:
    $ chmod 700 server.crt server.key
    $ chmod 700 client.crt client.key