OpenSSL is an open source toolkit that can be used to create test certificates, as well as generate certificate signing requests (CSRs) which are used to obtain certificates from trusted third-party Certificate Authorities.
The OpenSSL toolkit can be used to create self-signed test certificates for server applications, as well as generate certificate signing requests (CSRs) to obtain certificates from Certificate Authorities like DigiCert. This article outlines the steps for creating a test certificate using OpenSSL as an alternative to the MakeCert utility.
You must install OpenSSL on your development system to use the commands in this article. You can visit the OpenSSL website for more information on how to obtain binaries for Windows or you can download an installation package that we provide.
Using OpenSSL to create a self-signed test certificate for the localhost is more complicated than using the MakeCert utility Microsoft includes with Visual Studio and the Windows SDK. However, an advantage to using OpenSSL is that you can create certificates that include extensions, which MakeCert does not support, such as subject alternative names.
In this article, first we’ll create a self-signed root certificate to be installed into the Trusted Root certificate store. Then we’ll use that certificate to sign a server certificate created for “localhost”, the hostname you can use for testing local connections on your development system.
The first step to create your test certificate using OpenSSL is to create a configuration file. After you’ve installed OpenSSL, create a new, empty folder and create a file named localhost.cnf. Copy all of the following text into the file and save it.
default_bits = 2048
default_md = sha256
prompt = no
distinguished_name = req_distinguished_name
x509_extensions = v3_ca
req_extensions = v3_req
C = US
ST = California
L = Los Angeles
O = Catalyst Development
CN = localhost
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
subjectKeyIdentifier = hash
basicConstraints = critical, CA:false
nsCertType = server
keyUsage = digitalSignature, nonRepudiation, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
DNS.1 = localhost
IP.1 = 127.0.0.1
IP.2 = ::1
You should change the values in the [req_distinguished_name] section to reflect the name of your own organization and location. The country code should always be the ISO standard two-letter code (e.g.: US for the United States), and the state/province name and locality should be the full name. The common name (CN) for the test certificate will be “localhost” and this is also specified in the [alt_names] section along with the IPv4 and IPv6 localhost addresses.
Creating the Root Certificate
After you have created the OpenSSL configuration file, the next step is to create a self-signed root certificate that will be used to sign your localhost test certificate. Open a command prompt, change the directory to your folder with the configuration file and generate the private key for the certificate:
openssl genrsa -out testCA.key 2048
This will create a file named testCA.key that contains the private key. This will be used with the next command to generate your root certificate:
openssl req -x509 -new -nodes -key testCA.key -sha256 -days 365 -out testCA.crt -config localhost.cnf -extensions v3_ca -subj "/CN=SocketTools Test CA"
This tells OpenSSL to create a self-signed root certificate named “SocketTools Test CA” using the configuration file you created, and the private key that was just generated. The file testCA.crt will be created in the current folder.
This certificate must be imported into your Trusted Root Certification Authorities certificate store. The simplest way to do this is to open File Explorer, right-click on the file and select Install Certificate to open the Certificate Import Wizard.
Make sure you import the certificate into the correct certificate store, and you’ll be given a warning prompt about importing the certificate. After you’ve imported the self-signed root certificate, you’re ready to create your server certificate.
Creating the Server Certificate
Now that you have created your test root certificate, you need to generate a certificate signing request (CSR) and use that to create your server certificate. To generate your CSR, enter the following command:
openssl req -new -key localhost.key -out localhost.csr -config localhost.cnf -extensions v3_req
This will create the files localhost.key and localhost.csr in the current folder, using the information in your configuration file. Your next step is to create the server certificate using the following command:
openssl x509 -req -in localhost.csr -CA testCA.crt -CAkey testCA.key -CAcreateserial -out localhost.crt -days 365 -sha256 -extfile localhost.cnf -extensions v3_req
This will create the file localhost.crt in the current folder, and this is your server certificate. However, to use this test certificate with your server applications, you must combine it with its private key. A server certificate alone cannot be used to create the security context that SocketTools requires to accept a secure connection.
You combine the server certificate localhost.crt and its private key localhost.key to create a PKCS12 certificate, which on Windows commonly uses the PFX file extension. To do this, use the following command:
openssl pkcs12 -export -out localhost.pfx -inkey localhost.key -in localhost.crt -password pass:testing
Now you have a localhost.pfx file that you can import into your certificate store. The import process is similar to how you imported the root certificate, however in this case you’ll want to import the certificate into your Personal store. In this example, the PFX certificate was created with the password “testing”, but you can use whatever password you’d prefer.
Your server application can reference the PFX certificate directly by specifying the file as the certificate store (make sure you use an absolute pathname for the PFX file) or you can tell SocketTools to use the certificate store “MY”, which corresponds to your Personal certificate store.
Keep in mind that this certificate is specifically designed for testing on your local system. If you wanted to create a self-signed certificate that would be used by another system, then you’d need to change “localhost” to the hostname for that computer, and include its IP addresses in the configuration file. You would also need to install your TestCA.crt root certificate into the trusted root certificate store for each client that is accessing the server, otherwise the server’s certificate would be considered invalid.