Creating Self-signed pfx and cer certificates with OpenSSL


Simon J.K. Pedersen

This is just a quick post about how to use OpenSSL to create certificates that you can use with IIS or Microsoft Azure. Of course you could use makecert.exe, but I generally prefer openssl, since I occasionally do Node.js and IOS development.

The information can be found elsewhere on the internet, but I always have too look around for it when I need it, so I decided to post the commands I recently used to generate certificates for a Azure point-to-site VPN.

To generate a self-signed certificate with OpenSSL use:

openssl req -x509 -days 365 -newkey rsa: -keyout cert.pem -out cert.pem

Replace with the number of bits you want to use, you should use 2048 or more.

This command guides you through the process of generating a x509 certificate with a private key, and saves it in the pem format. The pem cannot be used with Microsoft products, so we need to convert it to PKCS#12/PFX Format which is what Microsoft uses. That can be done with

openssl pkcs12 -export -in server-cert.pem -inkey cert.pem -out cert.pfx

To get the public certificate in cer format (which in actually called DER) we could import the pfx certificate into a certificate store on a window machine and export it from here, but it’s easier just to ask openssl to create the cer file for us.

openssl x509 -pubkey -outform der -in cert.pem -out cert.cer

That is it now you got a certificate pair you can use with Microsoft software.