Create a Self-signed SSL Certificate on Windows

Thursday, November 24, 2011 posted by CSch

SSL (Secure Socket Layer) is used for encryption and decryption, processing of S/MIME signed or encrypted mails, generation of certificates and more. To use it on Windows (32 and 64 bit versions), download the OpenSSL tools from code.google.com/p/openssl-for-windows/downloads/list.
Uncompress it anywhere you like and start it by double-clicking the openssl.exe executable in the \bin folder.

If you create files with OpenSSL, they will appear in the \bin directory by default.
To create a self-signed SSL certificate, you first need a key. Create it like this:

genrsa -des3 -out server.key 4096

Type in your desired key (password) and confirm it. Next, you need a certificate request. Create it as follows and give the path to the config file in the -config option (it should be in the directory where you unpacked the files to):

req -config C:\path\to\openssl.cnf -new -key server.key -out server.csr

Next, sign the certificate request:

x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

The -days option specifies how long the certificate will be valid – mine will be for one year. Now you have a signed certificate.
However if you want to use it with programs as Thunderbird or similar, you will need the certificate to be in the .p12 format. To accomplish this, enter following:

pkcs12 -export -in server.crt -inkey server.key -name “Your Full Name” -out server.p12

Be Sociable, Share!


Leave a Reply