Create a Self-signed SSL Certificate on Windows

SSL (Secure Socket Layer) is used for encryption and decryption, processing of S/MIME signed or encrypted mails, generation of certificates and more. To use it on Windows (32 and 64 bit versions), download the OpenSSL tools from
Uncompress it anywhere you like and start it by double-clicking the openssl.exe executable in the \bin folder.

If you create files with OpenSSL, they will appear in the \bin directory by default.
To create a self-signed SSL certificate, you first need a key. Create it like this:

genrsa -des3 -out server.key 4096

Type in your desired key (password) and confirm it. Next, you need a certificate request. Create it as follows and give the path to the config file in the -config option (it should be in the directory where you unpacked the files to):

req -config C:\path\to\openssl.cnf -new -key server.key -out server.csr

Next, sign the certificate request:

x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

The -days option specifies how long the certificate will be valid - mine will be for one year. Now you have a signed certificate.
However if you want to use it with programs as Thunderbird or similar, you will need the certificate to be in the .p12 format. To accomplish this, enter following:

pkcs12 -export -in server.crt -inkey server.key -name "Your Full Name" -out server.p12

7 thoughts on “Create a Self-signed SSL Certificate on Windows”

  1. Thanks for the correct info.. It worked and one thing I found wrong was, on OpenSSL version 1.0.1g extension of openssl configuration file is .cfg not .cnf but I am not sure about earlier Versions.

  2. If you need to you can set the location of the openssl file like this (adjust as needed)
    set OPENSSL_CONF=C:/openssl/bin/openssl.cnf

  3. Thanks for putting this together. Questions though…I’m getting an error on this step:

    req -config C:\path\to\openssl.cnf -new -key server.key -out server.csr

    I have replaced the path with the correct one, but the error says: error in req / unknown option -out.server.csr

    What should be used instead?

    Thank you!

    • Not sure if this is what’s causing your error, but you’ve got a dot between ‘-out’ and ‘server’ (-out.server) whereas it should have a space between those 2 words. Hope that helps.


Leave a Comment