Menu Home

Creating Self-signed pfx and cer certificates with OpenSSL

This is just a quick post about how to use OpenSSL to create certificates that you can use with IIS or Microsoft Azure. Of course you could use makecert.exe, but I generally prefer openssl, since I occasionally do Node.js and IOS development.

The information can be found elsewhere on the internet, but I always have too look around for it when I need it, so I decided to post the commands I recently used to generate certificates for a Azure point-to-site VPN.

To generate a self-signed certificate with OpenSSL use:
openssl req -x509 -days 365 -newkey rsa:<bits> -keyout cert.pem -out cert.pem
Replace with the number of bits you want to use, you should use 2048 or more.

This command guides you through the process of generating a x509 certificate with a private key, and saves it in the pem format. The pem cannot be used with Microsoft products, so we need to convert it to PKCS#12/PFX Format which is what Microsoft uses. That can be done with
openssl pkcs12 -export -in server-cert.pem -inkey cert.pem -out cert.pfx

To get the public certificate in cer format (which in actually called DER) we could import the pfx certificate into a certificate store on a window machine and export it from here, but it’s easier just to ask openssl to create the cer file for us.
openssl x509 -pubkey -outform der -in cert.pem -out cert.cer

That is it now you got a certificate pair you can use with Microsoft software.

Categories: Software

Simon J.K. Pedersen

6 replies

  1. Hi, which one is the root certificate? the PFX or de CER file? And what is the purpose of the output of the cert.cer generation (it outputs public key)?


  2. Well, it’s a self signed certificate, so the root certificate would be itself. The PFX files contains the private key, so that certificate should never be given to any third party. Wereas the cer file only contains the public key, so that is okay to share.

  3. I entered this: openssl req -x509 -days 365 -newkey rsa:2048 -keyout cert.pem -out cert.pem

    Then: openssl pkcs12 -export -in server-cert.pem -inkey cert.pem -out cert.pfx

    And got: Error opening input file server-cert.pem Any ideas?

  4. I think this is really close, but not quite there.

    I’ve been trying to figure this out for 2 hours! First, I think there is a type’o in the first command to generate the self-signed certificate. The command listed outputs both the private key and certificate to the same cert.pem file. Also, to avoid encryption you need to include the “-nodes” option.

    The second command converts the pkcs10 file to pkcs12 pfx file correctly. The 3rd command converts the private key from PEM to DER. It’s not working…I’m getting “unable to load certificate”

  5. for command:
    openssl pkcs12 -export -in server-cert.pem -inkey cert.pem -out cert.pfx

    was it supposed to read:
    openssl pkcs12 -export -in cert.pem -inkey cert.pem -out cert.pfx

Leave a Reply

Your email address will not be published. Required fields are marked *