Creating Self-Signed CA and SSL Certificates Using OpenSSL for Development Environments
Aug 7, 2023
SSL/TLS | IIS | OpenSSL

When working in development environments, it might be necessary to generate your own Certificate Authority (CA) and SSL certificates for testing purposes. These instructions use OpenSSL, a powerful toolkit for the SSL and TLS protocols. Below, I've detailed how to create these certificates on Windows, but similar processes can be applied across different platforms.

Installation

First, you will need OpenSSL. If you are on Windows, you can download OpenSSL from here.

Creating the Certificate Authority (CA)

  1. Generate a private key for the CA using the following command:

    openssl genpkey -algorithm rsa -aes256 -out ca.key

  2. Create a new self-signed x509 certificate for the CA:

    openssl req -new -x509 -days 800 -key ca.key -sha512 -out ca.crt

    Once the CA is successfully created, you can import the ca.crt into your Local Computer Certificates -> Trusted Root Certification Authorities via MMC on Windows.

Creating the Server SSL Certificate

  1. Generate a private key for the server:

    openssl genpkey -algorithm rsa -aes256 -out server.key

  2. Create a configuration file server.cnf for generating the Certificate Signing Request (CSR):

    [req]
default_bits = 2048
default_keyfile = server.key
distinguished_name = req_distinguished_name
req_extensions = req_ext
x509_extensions = san_ext
prompt = no

[req_distinguished_name]
countryName = CN
stateOrProvinceName = Shanghai
localityName = Pudong
organizationName = JIANG SHENG
commonName = joji-hyper

[req_ext]
subjectAltName = @alt_names

[san_ext]
subjectAltName = @alt_names

[alt_names]
DNS.1 = localhost
DNS.2 = 127.0.0.1
DNS.3 = 192.168.1.2
DNS.4 = joji-hyper

  3. Use the private key to create a CSR:

    openssl req -new -key server.key -out server.csr -config server.cnf

  4. Sign the CSR with the CA certificate to get the server certificate:

    openssl x509 -req -days 800 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -extensions san_ext -extfile server.cnf

  5. If your server is IIS, you will need to convert the certificate and key into PFX format:

    openssl pkcs12 -export -out server.pfx -inkey server.key -in server.crt

I hope these instructions are helpful for your development journey. Feel free to reference this guide whenever you need to create a new certificate for testing or development purposes.

Categories

SSL/TLS IIS OpenSSL
Previous post: Introduction to Microsoft Edge's Application Guard
Next post: Understanding the Edge and Edge WebView2 Update Logs