Your IT workflows just got faster. Devolutions 2026.2 is now available.
Explore the release
Ctrlk
Book a demoOn-demand labAcademyDownload center
For the complete documentation index, see llms.txt. This page is also available as Markdown.

Generate a self-signed server and client certificates with OpenSSL

This is the definitive guide to create secure certificates, for both servers and clients, using OpenSSL.

Procedure

On Windows, it is recommended to use Chocolatey to install OpenSSL and its dependencies. The command line is simply choco install openssl.

Create the Root Certification Authority (CA)

  1. Generate the Root CA Private Key using the following command line:openssl ecparam -name prime256v1 -genkey -noout -out ca.key. Every certificate must have a corresponding private key.

  2. Generate the Root CA Certificate (Certificate Authority) using the following command line: openssl req -new -x509 -sha256 -key ca.key -out ca.crt.

  3. Enter the information about the CA (the certificate will be generated in the ca.crt file):

    Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:CA
Locality Name (eg, city) []:Toontown
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Acme inc.
Organizational Unit Name (eg, section) []:Security
Common Name (e.g. server FQDN or your name) []:acme.com
Email Address []:security@acme.com

  4. Install the certificate.

    Note that the certificate must be installed on the server and on all of the clients to validate the legitimacy of issued certificates. Some browsers also have particularities which are described in the topic.

Generate a Certificate Signing Request (CSR) – Server

These steps are usually performed on each server or device for which you intend to request a certificate. Install OpenSSL if it is not present. The alternative is to securely deploy the private key to the destination server at the same time as the certificate. It is recommended to use this last approach only if you must adhere to scripted deployments to follow CloudOps/DevOps practices.

  1. Generate the Server Certificate Private Key using the following command line: openssl ecparam -name prime256v1 -genkey -noout -out server.key (256bit private key in the server.key file). Every certificate must have a corresponding private key.

  2. Generate the server Certificate Signing Request (CSR) using the following command line: openssl req -new -sha256 -key server.key -out server.csr. This request will later be processed on the Root CA server.

  3. Enter the information about the server certificate (the exact FQDN that is used by the server must be specified). For Example:

  4. Enter a password into the prompt, using a password manager as well as a strong password generator is essential.

  5. Transfer the server.csr file to the Root CA.

  6. Process the request by following the instructions in Process a Certificate Signing Request (CSR) on the Root Certificate Authority (CA) below.

  7. Deploy the certificate.

Generate a Certificate Signing Request (CSR) – Client

Follow the same procedure as for the Server certificate, but you must adapt two attributes of the information you enter to your needs, namely the Common Name and the Email Address.

Process a Certificate Signing Request (CSR) on the Root Certificate Authority (CA)

Process the CSR by generating a certificate.

Generate it using the following command line, where the server.csr has been generated on the server: openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 1000 -sha256

This results in the certificate being generated in the server.crt file. You must deploy it to the server where you generated the CSR.

PreviousDevolutions login page does not open in the browserNextInstall root certificates

Last updated

Was this helpful?