If you want to create a self-signed certificate using openSSL on your local machine which is running any Windows desktop version, continue reading. I was struggling to create any certificates that work with IdentityServer. After browsing a few hours and setting up my IdentityServer in a way that finally worked, I will tell you all the details about how to generate a working certificate.

If you want to generate a self-signed certificate on a Windows Server machine, there is a much simpler and much more convenient way described by Filip Ekberg to get the same result as described in this post.

Download and install OpenSSL

I use OpenSSL v1.0.1s for Win64 from SlProWeb.com. Everything mentioned in this post was tested with exactly this version of openSSL, although I am pretty sure that you could use any other openSSL installation. After downloading you need to install it on your local machine. If you don’t change the installation path it will install to C:\OpenSSL-Win64.

Add openSSL to the path variable (optional)

If you want to be able to run openSSL commands in your console from within every directory, you will need to add the path to the openSSL directory to your system path.

Creating a self-signed certificate

The program we need to create a self-signed certificate using openSSL is called openssl.exe and is located in C:\OpenSSL-Win64\bin.

1. Make sure to run your console as an administrator in order to be able to create any certificates.
2. If you configured your openSSL directory in your system path, that’s fine. Otherwise, you need to change your directory (cd) to C:\OpenSSL-Win64\bin.
3. Use the following lines to create your self-signed certificate:

openssl genrsa 2048 > private.key
openssl req -new -x509 -nodes -sha1 -days 1000 -key private.key > public.cer
openssl pkcs12 -export -in public.cer -inkey private.key -out cert_key.p12

The first line generates a new RSA 2048bit private key. 2048bit is required if you want to use IdentityServer. Depending on your scenario you might be required to change this setting to 1024bit if you need a 1024bit key.

The second line creates a new x509 certificate using the sha1 hashing algorithm which will remain valid for 1000 days. The private key generated by the first line acts as the input and the certificate which results from this process will be written to the public.cer file. This is your certificate.

During the process, you will be asked a few information that will be put into your certificate. Since you generate a self-signed certificate for testing purpose only it does not matter what information you enter. Just remember that this information will be visible to anyone having access to your generated certificate.

The third line combines your certificate and your private key to a pkcs12 archive file. It is standard to either use .p12 or .pfx as file extension for pkcs12 archives.

Conclusion

If everything worked as expected you should have the following artifacts on your local machine:

• A private.key file containing your private 2048bit RSA key
• A public.cer file containing your x509 certificate (which contains the public key and some extra information)
• A cert_key.p12 file containing your private key and your certificate

The cert_key.p12 is interesting if you want to use your self-signed certificate for IdentityServer. Otherwise, you might only need the first two files.

Please let me know about any questions or problems in the comments below.

Claudio Bernasconi

I'm an enthusiastic Software Engineer with a passion for teaching .NET development on YouTube, writing articles about my journey on my blog, and making people smile.