OpenSSL has become THE standard for generating certificates for casual needs. Here’s how quickly you can create your own self-signed certificate and and a cert/key. Whether you need a .PEM, .CER, .Key, or .PFX, this article has you covered.
- Open an elevated command prompt as Administrator.
- Browse to C:\Program Files’OpenSSL-Win64\bin or C:\Program Files (x86)\OpenSSL-Win32\bin (or wherever you installed OpenSSL).
- openssl genrsa -aes256 -out demo.key 4096
- openssl rsa -in demo.key -out demo.key
- openssl req -new -x509 -nodes -sha512 -key demo.key -out demo.crt -days 3650
In step 3, you can use 2048 bits on slower machines, or 4096 bits for higher security. These days most anything can handle higher bit encryption, so I just stick with 4096. In the screenshot you’ll see I used SHA1 in step 5, but you can use SHA512 for additional security as it is fully supported nearly anywhere you’re going to use these certificates in 2024 and beyond.
In Step 5, you can replace “.key” and “.crt” with “.pem” if you prefer, the file will still be compatible.
Also in step 5, you can specify a number of days – since this certificate is self-signed it can be anything you want. 365 for one year, 3650 for 10 years, or even 36500 for a 100 year certificate!
After you press enter, it will ask a series of questions that should be simple to answer. When it asks for server name or FQDN, it’s best to enter the local machine name you’ll be using the certificate on (ex. computername.local).
The result will be a pair of files in the “bin” folder from step 2! You should be able to upload these and use them wherever you need them!
But what about PFX files?
If you also need a PFX file (a Personal Information Exchange public/private key combo file which can be more easily shared) you can generate one with one, simple additional command:
Step 6: openssl pkcs12 -export -out demo.pfx -inkey demo.key -in demo.crt
This will prompt you for a password that you will need to remember in order to use the PFX file in its final place.