OpenSSL generate self-signed certificate one-liner

For future me when I don’t have the batch file:

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -noenc

Remove -noenc if you want a password on the PEM file(s). (I don’t know if it’s just for the private key or if it’s for both, I’ve always used -noenc.)

By default, the certificate expires in 30 days. Add -days xxxxx to make it longer. Most recommended is 10 years, browsers cap real certs at 398 days.

Convert to PFX:

openssl pkcs12 -inkey key.pem -in cert.pem -export -out cert_pfx.pfx

If using Git Bash on Windows to run this command, prefice with winpty so the password entry prompts show correctly.

Add -name "Friendly Name" to add a friendly name to the certificate. (This shows in the Windows certificate manager.)


Comments

Leave a Reply

Your email address will not be published. Required fields are marked *