For future me when I don’t have the batch file:
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -noencRemove -noenc if you want a password on the PEM file(s). (I don’t know if it’s just for the private key or if it’s for both, I’ve always used -noenc.)
By default, the certificate expires in 30 days. Add -days xxxxx to make it longer. Most recommended is 10 years, browsers cap real certs at 398 days.
Convert to PFX:
openssl pkcs12 -inkey key.pem -in cert.pem -export -out cert_pfx.pfxIf using Git Bash on Windows to run this command, prefice with winpty so the password entry prompts show correctly.
Add -name "Friendly Name" to add a friendly name to the certificate. (This shows in the Windows certificate manager.)
Leave a Reply