Certificate Madness

I always find myself forgetting what the right Google terms are to get a self-signed certificate, so I’m going to post them here. I use methods from this blog and this StackOverflow post and this site.

I start out with creating a private key, something like this command:

$ openssl genrsa -des3 -out newKey.pem 1024
Generating RSA private key, 1024 bit long modulus
e is 65537 (0x10001)
Enter pass phrase for newKey.pem:
Verifying - Enter pass phrase for newKey.pem:

That will create a key that you can use to create a self-signed certifcate with this command:

$ openssl req -new -x509 -key newKey.pem -out newCert.pem -days 365
Enter pass phrase for newKey.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:California
Locality Name (eg, city) []:Culver City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Porkchop Express Shipping
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:Jack Burton
Email Address []:[email protected]******

Then for Windows I create x509 and pkcs12 versions of the certificate:

$ openssl pkcs12 -inkey newKey.pem -in newCert.pem -export -out newCert.pfx
Enter pass phrase for newKey.pem:
Enter Export Password:
Verifying - Enter Export Password:
$ openssl x509 -outform der -in newCert.pem -out newCert.cer

At the end I’ve created 4 files:

$ ls new*       
newCert.cer newCert.pem newCert.pfx newKey.pem

Usually these files are all I need for testing applications using certificates. Getting this type of certificate to work with, say, a Java application requires a few more steps but that’s a story for a different day.