Create a certificate

This procedure allows you to create a certificate.

In this procedure you use the openssl tool to perform the certificate creation tasks.

  1. Create a Certificate Signing Request (CSR) and private key:
    $ openssl req -new -out MyCert.csr

    Follow the instructions to create the CSR. This command also creates a private-key file (pem) containing the RSA private key of the CSR certificate protected by a password. By default, openssl outputs the private key in the privkey.pem file. If you want to specify a different file name, or if your openssl version does not output the private key by default, add -keyout <myprivkey>.pem to the command.

  2. Remove the private key password (Optional):
    $ openssl rsa -in privkey.pem -out MyCert.pem

    The unprotected private key is output in MyCert.pem.

  3. Create a certificate (self-signed X.509 certificate valid for a period of 1 year) trusted by the Root Certificate Authority created in Create a certificate authority:
    (line breaks added for document readability)
    $ openssl x509 -in MyCert.csr -out MyCert.crt -req -signkey MyCert.pem 
      -CA MyCA.crt -CAkey MyCA.pem -days 365
    About the CSR and its private key:
    • If you want an official Certificate Authority, you must send the CSR file to one of the self-established Certificate Authority companies on the Internet (instead of creating it with openssl. See Encryption and authentication).
    • The CSR file is also used to encrypt messages that only its corresponding private key can decrypt.