Step 2: Create the server's certificate and private key

The server's certificate identifies the server as trusted by any client that connects to it.

  • Create the server's serial file:
    $ echo 01 >
  • Create the server's Certificate Signing Request and private key:
    $ openssl req -new -out MyServer.csr

    By default, openssl outputs the private key in the privkey.pem file.

  • Remove the password from the private key:
    $ openssl rsa -in privkey.pem -out MyServer.pem


    The key is also renamed in MyServer.pem.

  • Create the server's Certificate trusted by the Root Certificate Authority:
    $ openssl x509 -in MyServer.csr -out MyServer.crt
     -req -signkey MyServer.pem -CA MyCompanyCA.crt -CAkey MyCompanyCA.pem

The purpose of the server's Certificate is to identify the server to any client that connects to it. Therefore, the subject of that server's certificate must match the host name of the server as it is known on the network; otherwise the client will not trust the server's identity and the communication is stopped. For instance, if the URL of the server is, the subject must be

In the next step we create the server's certificate authority list, Step 3: Create the server's certificate authority list.