Create a certificate

In this procedure you create a certificate signed by a certificate authority.

1. Create a Certificate Signing Request and private key:

   $ openssl req -new -out MyCert.csr

   Follow the instructions to create the CSR. This command creates a pem file containing the private key of the CSR. The key is encrypted, so you are prompted for a passphrase for it. You will be prompted to identify the subject or issuer of the certificate – to provide a Distinguishing Name (DN) for the certificate – in a series of prompts. These are examples of what the prompts will look like:

   Country Name (2 letter code) [AU]:FR
   State or Province Name (full name) [Some-State]:.
   Locality Name (eg, city) []:.
   Organization Name (eg, company) [Internet Widgits Pty Ltd]:.                               
   Organizational Unit Name (eg, section) []:.
   Common Name (e.g. server FQDN or YOUR name) []:
   Email Address []:.

   Two files are created, MyCert.csr and a private key file called privkey.pem.

2. Remove the private key password (Optional):

   $ openssl rsa -in privkey.pem -out MyCert.pem

   The unprotected private key is output in MyCert.pem.

3. Create a certificate (self-signed X.509 certificate valid for a period of 1 year) signed by the certificate authority created in Create a certificate authority:
   (line breaks added for document readability)

   $ openssl x509 -in MyCert.csr -out MyCert.crt -req 
      -CA MyCA.crt -CAkey MyCA.pem -days 365

   Note: About the CSR and its private key:

   • If you want an official Certificate Authority, you must send the CSR file to one of the self-established Certificate Authority companies on the Internet (instead of creating it with openssl. See Encryption and authentication).
   • The CSR file is also used to encrypt messages that only its corresponding private key can decrypt.
   The certificate is output in MyCert.crt.