Create a certificate

Create a server or client certificate for use with SSL/TLS, and optionally a self-signed certificate for testing.

A server certificate proves the server's identity to clients. A client certificate proves the client's identity to the server, and is used for web services or web applications requiring mutual authentication.

To secure your web server and applications, you must send a Certificate Signing Request to one of the trusted Certificate Authority companies on the Internet that will provide you with a certificate you can trust.

The CSR must be created on the server where the certificate is to be deployed. Use the openssl tool to create the CSR.

The steps in this topic mirror the real-world process of obtaining a certificate from a Certificate Authority (CA). The root CA created in Create a root certificate authority acts as the CA, and the certificate created here is the equivalent of one issued by a trusted CA on the internet.

Create a Certificate Signing Request and private key:
```
$ openssl req -new -out MyCert.csr
```
You are prompted to provide a Distinguishing Name (DN) for the certificate, including fields such as Country Name, State or Province Name, Organization Name, and Common Name (CN).

Set the CN according to the intended use of the certificate:
- Server certificate: The CN must match the server's domain name (DNS), otherwise clients will not trust it. For example, for https://www.MyServer.com/fastcgi/ws/r/MyWebService, set the CN to www.MyServer.com. Use the subjectAltName parameter to cover variations of the domain name (for example, MyServer.com, mail.MyServer.com).
  Tip: You can also add the IP address in SubjectAltName as an alternative name for the CN. For details, go to OpenSSL.
- Client certificate: The CN does not need to match the client's DNS, provided the certificate is issued by a trusted CA. You can leave the CN field open.
Fill in the remaining fields with your organization details, required if you are purchasing the certificate from a certificate authority.
Two files are created: MyCert.csr and a private key file privkey.pem (the default OpenSSL name for private key files).
Note: About the CSR and its private key:
If you want an official Certificate Authority, you must send the CSR file to one of the self-established Certificate Authority companies on the Internet instead of creating it with openssl. See Encryption and authentication.

The CSR file is also used to encrypt messages that only its corresponding private key can decrypt.

To create a test certificate signed by a local certificate authority, perform the following steps:

Remove the private key password (Optional):
```
$ openssl rsa -in privkey.pem -out MyCert-nopass.pem
```
The unprotected private key is output in MyCert-nopass.pem.
Create a certificate from the CSR signed by the certificate created in Create a root certificate authority:
(line breaks added for readability)
```
$ openssl x509 -in MyCert.csr -out MyCert.crt -req
   -CA MyRootCA.crt -CAkey MyRootCA.pem -days 365
```
The certificate is output in MyCert.crt.

Once you have a certificate, configure it according to its intended use:

Table 1. Configure the certificate and key
Use	Action
Server	Configure in your web server (for example, IIS or Apache). For an example, go to Configuring the Apache web server for HTTPS.
Client (web service)	Configure entries in the FGLPROFILE file. For details, go to Set FGLPROFILE entries for the client certificate.
Client (web application, HTTPS)	Install the certificate in the browser or OS keystore/keychain.

For client certificates, you also need to declare the server's CA List:

Table 2. Declare the CA List
Use	Action
Client (web service)	Configure entries in the FGLPROFILE file. For details, go to Set FGLPROFILE entries for the CA list.
Client (web application, HTTPS)	Install the CA List in the browser or OS keystore/keychain. For an example using a Windows keystore, go to Import a CA into the Windows key store. For details on creating a CA list, go to Create a certificate authority list.