Create and sign certs with OpenSSL

In this video, I talk about how to create and sign certs with OpenSSL (and convert them to PFX for Windows). This came out of my complete inability to ever remember how to do any of this, so I created a cheat sheet and then recorded this video off of it.

Cheat sheet below:

Self-signed

Generate a new private key:
openssl genrsa -out blah.key 4096

Create a self-signed cert from the private key:
openssl req -x509 -key blah.key -out blah.pub -days 365

Verify the certificate:
openssl x509 -noout -text -in blah.pub

Do all of the above in a single command:
openssl req -x509 -newkey rsa:4096 -keyout ca.key -out ca.crt -days 365 -nodes

Convert to pfx:
openssl pkcs12 -export -in ca.crt -inkey ca.key -out ca.pfx

Using a key to sign another:

Generate a new private key

Create a CSR from the private key:
openssl req -new -key blah.key -out signable.csr

Do both in the same step:
openssl req -newkey rsa:4096 -out signable.csr -keyout signable.key -nodes

Sign the CSR with the CA cert:
openssl x509 -req -in signable.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out signable.crt -days 365

Export as PFX:
openssl pkcs12 -export -in signable.crt -inkey signable.key -out signable.pfx


For more on me: https://brianparks.me