For future me when I don’t have the batch file:
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -noencRemove -noenc if you want a password on the PEM file(s). (I don’t know if it’s just for the private key or if it’s for both, I’ve always used -noenc.)
By default, the certificate expires in 30 days. Add -days xxxxx to make it longer. Most recommended is 10 years, browsers cap real certs at 398 days.
Convert to PFX:
openssl pkcs12 -inkey key.pem -in cert.pem -export -out cert_pfx.pfxIf using Git Bash on Windows to run this command, prefice with winpty so the password entry prompts show correctly.
Add -name "Friendly Name" to add a friendly name to the certificate. (This shows in the Windows certificate manager.)
It seems that older versions of Windows don’t support the type of encryption that modern OpenSSL uses, so if you’re having problems with Windows thinking the password is wrong, try adding -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES to the command.
Leave a Reply