> For the complete documentation index, see [llms.txt](https://docs.devolutions.net/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.devolutions.net/resources/other-resources/generate-a-self-signed-server-and-client-certificates-with-openssl.md).

# Generate a self-signed server and client certificates with OpenSSL

This is the definitive guide to create secure certificates, for both servers and clients, using OpenSSL.

## Procedure

{% hint style="info" %}
On Windows, it is recommended to use Chocolatey to install OpenSSL and its dependencies. The command line is simply `choco install openssl`.
{% endhint %}

### Create the Root Certification Authority (CA)

1. Generate the ***Root CA Private Key*** using the following command line:`openssl ecparam -name prime256v1 -genkey -noout -out ca.key`. Every certificate must have a corresponding private key.
2. Generate the ***Root CA Certificate*** (Certificate Authority) using the following command line: `openssl req -new -x509 -sha256 -key ca.key -out ca.crt`.
3. Enter the information about the CA (the certificate will be generated in the ca.crt file):

   ```
   Country Name (2 letter code) [AU]:US
   State or Province Name (full name) [Some-State]:CA
   Locality Name (eg, city) []:Toontown
   Organization Name (eg, company) [Internet Widgits Pty Ltd]:Acme inc.
   Organizational Unit Name (eg, section) []:Security
   Common Name (e.g. server FQDN or your name) []:acme.com
   Email Address []:security@acme.com
   ```
4. [Install the certificate](https://docs.devolutions.net/resources/other-resources/install-root-certificates/).

   <div data-gb-custom-block data-tag="hint" data-style="info" class="hint hint-info"><p>Note that the certificate must be installed on the server and on all of the clients to validate the legitimacy of issued certificates. Some browsers also have particularities which are described in the topic.</p></div>

### Generate a Certificate Signing Request (CSR) – Server

{% hint style="warning" %}
These steps are usually performed on each server or device for which you intend to request a certificate. Install OpenSSL if it is not present. The alternative is to securely deploy the private key to the destination server at the same time as the certificate. It is recommended to use this last approach only if you must adhere to scripted deployments to follow CloudOps/DevOps practices.
{% endhint %}

1. Generate the ***Server Certificate Private Key*** using the following command line: `openssl ecparam -name prime256v1 -genkey -noout -out server.key` (256bit private key in the server.key file). Every certificate must have a corresponding private key.
2. Generate the server ***Certificate Signing Request*** (CSR) using the following command line: `openssl req -new -sha256 -key server.key -out server.csr`. This request will later be processed on the Root CA server.
3. Enter the information about the server certificate (the exact FQDN that is used by the server must be specified). For Example:

   ```
   Country Name (2 letter code) [AU]:US
   State or Province Name (full name) [Some-State]:CA
   Locality Name (eg, city) []:Toontown
   Organization Name (eg, company) [Internet Widgits Pty Ltd]:Acme inc.
   Organizational Unit Name (eg, section) []:Security
   Common Name (e.g. server FQDN or your name) []:vault.acme.com
   Email Address []:security@acme.com
   ```
4. Enter a password into the prompt, using a password manager as well as a strong password generator is essential.
5. Transfer the server.csr file to the Root CA.
6. Process the request by following the instructions in ***Process a Certificate Signing Request (CSR) on the Root Certificate Authority (CA)*** below.
7. Deploy the certificate.

### Generate a Certificate Signing Request (CSR) – Client

Follow the same procedure as for the Server certificate, but you must adapt two attributes of the information you enter to your needs, namely the ***Common Name*** and the ***Email Address***.

```
Common Name (e.g. server FQDN or your name) []:John Doe
Email Address []:JohnDoe@acme.com
```

### Process a Certificate Signing Request (CSR) on the Root Certificate Authority (CA)

Process the CSR by generating a certificate.

Generate it using the following command line, where the server.csr has been generated on the server: `openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 1000 -sha256`

This results in the certificate being generated in the server.crt file. You must deploy it to the server where you generated the CSR.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.devolutions.net/resources/other-resources/generate-a-self-signed-server-and-client-certificates-with-openssl.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.