Creating Self-Signed CA and SSL Certificates Using OpenSSL for Development Environments
Aug 7, 2023

When working in development environments, it might be necessary to generate your own Certificate Authority (CA) and SSL certificates for testing purposes. These instructions use OpenSSL, a powerful toolkit for the SSL and TLS protocols. Below, I've detailed how to create these certificates on Windows, but similar processes can be applied across different platforms.


First, you will need OpenSSL. If you are on Windows, you can download OpenSSL from here.

Creating the Certificate Authority (CA)

  1. Generate a private key for the CA using the following command:

    openssl genpkey -algorithm rsa -aes256 -out ca.key
  2. Create a new self-signed x509 certificate for the CA:

    openssl req -new -x509 -days 800 -key ca.key -sha512 -out ca.crt

    Once the CA is successfully created, you can import the ca.crt into your Local Computer Certificates -> Trusted Root Certification Authorities via MMC on Windows.

Creating the Server SSL Certificate

  1. Generate a private key for the server:

    openssl genpkey -algorithm rsa -aes256 -out server.key
  2. Create a configuration file server.cnf for generating the Certificate Signing Request (CSR):

    default_bits = 2048
    default_keyfile = server.key
    distinguished_name = req_distinguished_name
    req_extensions = req_ext
    x509_extensions = san_ext
    prompt = no
    countryName = CN
    stateOrProvinceName = Shanghai
    localityName = Pudong
    organizationName = JIANG SHENG
    commonName = joji-hyper
    subjectAltName = @alt_names
    subjectAltName = @alt_names
    DNS.1 = localhost
    DNS.2 =
    DNS.3 =
    DNS.4 = joji-hyper
  3. Use the private key to create a CSR:

    openssl req -new -key server.key -out server.csr -config server.cnf
  4. Sign the CSR with the CA certificate to get the server certificate:

    openssl x509 -req -days 800 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -extensions san_ext -extfile server.cnf
  5. If your server is IIS, you will need to convert the certificate and key into PFX format:

    openssl pkcs12 -export -out server.pfx -inkey server.key -in server.crt

I hope these instructions are helpful for your development journey. Feel free to reference this guide whenever you need to create a new certificate for testing or development purposes.