# Create Self-Signed Certificate ## Create Key With Openssl This example is using `openssl` command on Ubuntu. If you are using Windows then you can use alternative tools, such as: * Install [OpenSSL - Installation under Windows](https://www.xolphin.com/support/OpenSSL/OpenSSL_-_Installation_under_Windows) * Install [Cmder | Console Emulator](https://cmder.net/) that support for `openssl` commands. To generate the key we will be using openssl on Ubuntu. We start firt by generating the private key `myapp.key` and public certificate `myapp.crt`: ``` openssl req -x509 -newkey rsa:4096 -keyout myapp.key -out myapp.crt -days 3650 -nodes -subj "/CN=myapp" ``` We name .key and .crt to follow the convention used in ssl for certificates which can be found under /etc/ssl/(private|certs). Next we combine them into a key myapp.pfx usable by dotnet: ``` openssl pkcs12 -export -out myapp.pfx -inkey myapp.key -in myapp.crt -name "Localhost HTTPS development" ``` The resulting `myapp.pfx` is the file which can be used to instantiate a X509Certificate2 object we needed. If we already have a `.pfx` and want to extract the private key `myapp.key` and public key `myapp.crt`: ``` openssl pkcs12 -in key.pfx -nocerts -out myapp.key -nodes openssl pkcs12 -in key.pfx -nokeys -out myapp.crt ``` ## Selfsigned certificate for local SSL usage Just like how we created a key to be used for signing credentials, it is possible to use openssl to create selfsigned certificate to be used for SSL. ``` openssl req -x509 -newkey rsa:4096 -keyout localhost.key -out localhost.crt -days 3650 -nodes -subj "/CN=localhost" openssl pkcs12 -export -out localhost.pfx -inkey localhost.key -in localhost.crt -name "Localhost selfsigned certificate" ``` ## Simple steps to create self-signed certificate Using commands below to generate `private.key`, `.csr`, `self-signed-crt`, `keyStore.pfx`, `certificate.pem` ``` # Generate new private key and csr, with blank password openssl req -new -newkey rsa:2048 -nodes -keyout privateKey.key -out CSR.csr # Generate self-signed cert openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt # Convert privateKey & certificate to keyStore pfx, with friendly alias name = "1", with blank keyStore password openssl pkcs12 -export -out keyStore.pfx -inkey privateKey.key -in certificate.crt -name "1" # Convert pfx to pem openssl pkcs12 -in keyStore.pfx -out certificate.pem -nodes ``` ## Reference * [Self Signed Certificate](https://www.kimsereylam.com/dotnetcore/csharp/oidc/2018/07/06/self-signed-certificate-for-identity-server.html) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://nicholashew.gitbook.io/knowledge/programming/openssl/create-self-signed-cert.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.