Setting up OpenSSL to Create Certificates

Web servers, imap servers, smtp servers can be configured to use ssl connections and there are many other uses for ssl certificates, such as encrypting email or digitally signing documents. You don't have to pay a certificate authority, such as Verisign, because you can use the OpenSSL package to create your own certificates. I do not cover the installation of OpenSSL here and I assume you know at least how to change directories, move files, use an editor, and other basics from the command-line.

Note: The author of this page, and owner of this web site, is not to be held liable for any damage or trouble arising from following these directions. You are responsible for your own security, use, and creation of certificates.

Quick steps:

  1. Create a directory.
  2. Create two subdirectories.
  3. Create a database to keep track of each certificate signed.
  4. Make a custom config file for openssl to use.
  5. Create a root certificate.
  6. Installing the root certificate for use.
  7. Tips.
  8. Creating certificates pages.

Note: While this document covers OpenSSL under Linux, Windows-only folks can use the Win32 OpenSSL project. I found GOSSL and CertWiz, GUIs for Windows, after a quick search. I am running Red Hat Linux 8.0 and openssl 0.9.x. If you have an interal box running Apache web server with PHP and the OpenSSL libraries installed, you could also use PHPki. I would not use PHPki for creating certificates on a publicly accessable server, because your root private certificate must be installed on that server (security risk). [Note: I found it not too hard to migrate manually to PHPki after already having created some certificates from the command line. Also you must have short tags enabled in your php.ini.] Only command line steps will be covered here.

1) Create a directory

Let's call it sslcert:
mkdir sslcert

Now protect that directory so only the user you are running as (and root) can access it:
chmod 0700 sslcert

2) Create two subdirectories

Cd into the first directory and make two subdirectories. Let's call them certs and private.
cd sslcert
mkdir certs private

3) Create a database to keep track of each certificate signed

echo '100001' >serial
touch certindex.txt

4) Make a custom config file for openssl to use

Create a file using your ASCII text editor. We will call it openssl.cnf. Here are the basics needed for this exercise (edit as needed):

# OpenSSL configuration file.
# Establish working directory.
dir					= .
[ ca ]
default_ca				= CA_default
[ CA_default ]
serial					= $dir/serial
database				= $dir/certindex.txt
new_certs_dir				= $dir/certs
certificate				= $dir/cacert.pem
private_key				= $dir/private/cakey.pem
default_days				= 365
default_md				= md5
preserve				= no
email_in_dn				= no
nameopt					= default_ca
certopt					= default_ca
policy					= policy_match
[ policy_match ]
countryName				= match
stateOrProvinceName			= match
organizationName			= match
organizationalUnitName			= optional
commonName				= supplied
emailAddress				= optional
[ req ]
default_bits				= 1024			# Size of keys
default_keyfile				= key.pem		# name of generated keys
default_md				= md5				# message digest algorithm
string_mask				= nombstr		# permitted characters
distinguished_name			= req_distinguished_name
req_extensions				= v3_req
[ req_distinguished_name ]
# Variable name				Prompt string
#-------------------------	  ----------------------------------
0.organizationName			= Organization Name (company)
organizationalUnitName			= Organizational Unit Name (department, division)
emailAddress				= Email Address
emailAddress_max			= 40
localityName				= Locality Name (city, district)
stateOrProvinceName			= State or Province Name (full name)
countryName				= Country Name (2 letter code)
countryName_min				= 2
countryName_max				= 2
commonName				= Common Name (hostname, IP, or your name)
commonName_max				= 64
# Default values for the above, for consistency and less typing.
# Variable name				Value
#------------------------	  ------------------------------
0.organizationName_default		= My Company
localityName_default			= My Town
stateOrProvinceName_default		= State or Providence
countryName_default			= US
[ v3_ca ]
basicConstraints			= CA:TRUE
subjectKeyIdentifier			= hash
authorityKeyIdentifier			= keyid:always,issuer:always
[ v3_req ]
basicConstraints			= CA:FALSE
subjectKeyIdentifier			= hash

5) Create a root certificate

All other certificates you create will be based off of this. Because you are not a commercial certificate authority, software may complain when they use your certificates. However you can give people one of the files, the "public" one, that will be created and they can manually import it. From then on your certificates will load just like the commercial ones.

To create, while in the 'sslcert' directory, type:
openssl req -new -x509 -extensions v3_ca -keyout \
private/cakey.pem -out cacert.pem -days 365 -config ./openssl.cnf

Note the backslash (\) at the end of the first line. If your OS supports it, this is a way to type long command lines. Simply press <Enter> after it and you will be prompted to continue typing. Otherwise, leave it out and continue typing.

Note the -days 365 option. For a root certificate you may want it to last longer than one year so that you do not have to reissue it so often. I set mine to 10 years.

You will be prompted for information and a password. Do not loose this password, make sure it is a secure one, and back up the two files that are created.

The two files that are created are cacert.pem, which is the one you can give to others for import in their browsers, and cakey.pem, which will be in the private directory.

Name Field Explanation Example
Country Name The two-letter ISO abbreviation for your country US = United States
State or Province Name The state or province where your organization is located. Can not be abbreviated. Georgia
City or Locality The city where your organization is located. Atlanta
Organization Name The exact legal name of your organization. Do not abbreviate SSL Secure Inc.
Organizational Unit Optional for additional organization information. Marketing
Common Name Since this is your root certificate, call it something like: Company_Name Certificate Authority
Email Address The email address for the CA (who to contact) someone@your.domain

6) Installing the root certificate for use

See your browser's help for how to do this. For IE, go to Tools, Options, Content tab, Certificates, Import and follow the steps. Note that we called our root certificate cacert.pem. Rename this file to cacert.crt as it is an X.509 certificate. To make it easy for people to install your root certificate, cacert.crt, place it on your web site with a URL to it. When they click on it in most modern browsers, they can choose to "Open" or "Install" and it will walk them through the install steps.

Note for Mozilla and Firefox/Thuderbird users: Mozilla apps do not use MS Windows' certificate storage. If you use Mozilla, you only need to install the certificate in the browser and it will be available to the email client. If you use Firefox and Thunderbird, or just one of the two, you will need to manually import the certificate with Thunderbird. To do this, right-click the link to the certificate and choose "Save As...". Then in "Manage Certificates", access is via "Advanced" in newer versions, click the Import button.

7) Tips

Read up on revocation lists and how to use them. One day need to revoke the root certificate, or any other certificates, and issue a new one.

The root certificate created per the example only good for 365 days. When it expires people receive a warning message. Don't forget to remake the certificate each year, or create it for more than 1 year.

Don't forget your password for the root certificate, but do not let it fall into the wrong hands.

8) Creating certificates pages

Now you are ready to create certificates. Here are my pages covering various applications of certificates and how to make those certificates:


Followed the steps to create a PCKS12 certificate to trial signing PDF documents. Worked first time. Many thanks!

I don't get the Install Page

I attempted to run the Root Cert and it didn't work for my page, what gives?

Awesome tut!!!

Thanks a lot for taking the time to write this. It worked on the first try. However, others may want to migrate from md5 to sha.

Unable to create certificate

Hi, whenever I try to execute the "openssl req -new -x509 -extensions v3_ca -keyout \
private/cakey.pem -out cacert.pem -days 365 -config ./openssl.cnf" command I get this error,

"Generating a 1024 bit RSA key
Writing new private key to private/cakey.pem'
private/cakey.pem: No such file or directory.

1949:error:02001002:system library: fopen:No such file or directory:bss_file.c:356:fopen('private/cakey.pem' , 'w')

1939:error:20074002:BIO routines: FILE_CTRL:system lib:bss_file.c:358"

Can anybody help me? Why does it need to open private/cakey.pem, shouldn't it write to the private folder?
I execute with root privilege. Any help would be appreciated.

If you're using win32/64,

If you're using win32/64, you don't need that backslash at the end of the first line.

You can also try to type the whole command in one line

Configuration for email certificates

Thanks for these instructions, found them really helpful. However I have found you need to change the "email_in_dn" value to yes in the configuration file if creating certificates for signing emails. Otherwise the certificate will not identify the sender's email address, and the recipient will not be able to verify that the certificate matches the sender's email address.


I'm newbie on this.
And i interested to learn.
Where this all can be done?

doesnt work

configured exactly as you said,

when going to the url, it does not use the certificate created,

off to another site

how to make sure the cert is in use??


im trying to create new certs with openssl i think. but i have a DEMOCA with all the certs.
what can i do to make sure that the raddius is running my certs?
and how do i create certs?
sorry, i am a beginner. much help needed! reply asap pls. thanks!

Re: how to make sure the cert is in use??

Try starting with:
$ openssl s_client -connect [ip_or_dns_name]:[port]
$ man s_client

Valid time in x509 Certificates is always in GMT-why

I need a clarification. The CAcert and the client certs generated by openssl on my system has the validity time period always in GMT-5:30hrs, even though my system has a local time in IST (GMT+5:30hrs). So my doubt is, if i use the client certs in other IST timezone systems, how and will the certs be verified by the system as in valid time period?
why is that all certs are stamped with validity time in GMT only?


SSL Cert and Key

OMG worked on this forever, then found your site and within a few short hours was able to get all my certificates and keys. One hang up was decrypting the cakey.pem. I looked at your comment section and there at the bottom was the decrypt info. Thank You, I am a self taught wannbe programmer and your site really helped.

Great job!

I followed every step and it worked I was working on this for almost 2 weeks and you just gave me the answers in 10 minutes.

By the way:
nameopt = default_ca
certopt = default_ca

is correct. There was 1 guy who said it was wrong but this works... Thank you very much man i really apreciate this.

Your sincerely,

André Boom

Not working for windows 7 w/ IE8

The instruction is very clear and helpful. I did it for my linux centOS 5.4 server. After that, it works well for clients using windows XP and IE7. However, it does not work for clients using windows vista or 7 with IE8. The clients are promped to install certificate, ... and it shows "the import was successful". When clients start a new browser to open the web site, it still displays "Certificate Error". Can somebody tell why? I also tried several other ways to create certificates, the situation is the same. Thanks!

For Windows XP, Expire date is 2/6/1974

I agree: Great instructions!
But I'm also having a problem trying to do this on Windows XP. For some reason it set the root certificate expiration date to 2/6/1974. If I view the certificate in Firefox, it shows the Create date OK but the Expire date is in the past, so it thinks the certificate has expired and will not use it.

Validity|Not Before:
3/14/2010 18:20:58 PM
(3/14/2010 23:20:58 PM GMT)

Validity|Not After:
2/6/1974 10:52:42 AM
(2/6/1974 16:52:42 PM GMT)

Oops! 36525 days is 100 years, not 10 years.

I guess the multiply function of my internal calculator isn't working today. 36525 days is 100 years, not 10 years. It worked OK once I corrected that.


Thank you for your help. I found the nameopt and certopt should be the following:

name_opt = ca_default
cert_opt = ca_default


Wait a minute. Placing

Wait a minute. Placing cacert.pem on public site might give away your private key?! Can anyone confirm this?

No it doesn't give away your

No it doesn't give away your private key. Read the manuals. You can't calculate 1 without the other

Re: Wait a minute. Placing

In the instructions above the file 'cacert.pem' is the public certificate. Try these commands once you have generated the private and public files to inspect them:

 $ openssl x509 -in cacert.pem -text -noout
Within the text of the output you should see "Subject Public Key Info".

$ openssl rsa -in cakey.pem -text -noout
You will be prompted for the certificate password and see "Private-Key:" within the text of the output.

If you try to run 'openssl x509 -in cakey.pem ...' you should get an error with "Expecting: TRUSTED CERTIFICATE". If you try to run 'openssl rsa -in cacert.pem ...' you should get an error with "Expecting: ANY PRIVATE KEY". It is always good to ask these kinds of questions.

Thanks very much for your

Thanks very much for your useful tips on how to create a root certificate!

Openssl Docs

Helpful article. Thanks a lot.


Really Great Work!

Mr. (Ms.?) Flat Mountain:

Really, really good work on this. It isn't easy to write accurate, concise documentation like this - you've really hit the mark!
Thanks for your work; it's saved us lots of time. Lou

Serial and DB not updating

the certindex.txt isn't updating with new certs.

querie in 4 step

I don't understand the 4 step of the procedure.What did you do?
you make s cnf file named "openssl" and inside it you have an openoffice text?
It doesn't work to me!Sorry but I'm beginner....

Re: querie in 4 step

In step 4 I said to use an "ASCII text editor". This means something like vi, emacs, kwrite, etc. Everyone has their favorite text editor, so it doesn't matter which one you use to create a file with the text shown. But the file does have to be ASCII (aka "plain") text, not doc or odf or other file format. This file pre-sets a lot of options for you, so creating certificates is easier.


Just great stuff here.
Thanks a lot for this clear and helpfull walkthrough.



Great post, worked the first time...
After trying many other ways... wish I had found this one first


helpfull article

just another comment on how helpful this article has been. thanks.

Great Work

Great Work Done................


this is verry well done. i hope i'll find more of your articles.

Great job...

The documentation and step by step process in these pages is awesome. Thanks for the attention to detail. This is extremely useful.

Great article .... Good work

Great article .... Good work


Thanx!!!!!!!!!!!!!!!!! to whom it may concern

from the core of heart ,i appreciate the person who wrote this topic......
it is really a great job he did.......
provided step by step guidance as the work is done


Thanks a lot,
This article is really very well written
It worked well.


Very Helpful

Very helpful article, got it working fine.
Thanks for sharing!


This was a well written article.

Great work!

Really nice tutorial on

Really nice tutorial on openssl certificate. One note to those who uses such a self-signed certificate for their https site, it's better to remove the pass phrase from cakey.pem so you don't have to re-enter that every time you start your https server:

openssl rsa -in cakey.pem -out cakey.pem

enter the pass phase that you used in step 5) and you are golden.



I would like to know how to use this certificate with multiple email addresses.
like my private email and my gmail one.

please reply ASAP.


hey Its very simple.....

hey Its very simple..... Keep Signature same for all the emails...and use one browser...... It helps you for the above issue..