Child pages
  • Create a self-signed CA & client certificate with OpenSSL
Skip to end of metadata
Go to start of metadata


This article was written for version 1.0.1f of openssl, it could work on both lower and higher version if nothing else is stated.

Articles in the Community-Space are not supported by op5 Support.

This is a short instruction on how you can create your own CA certificate & then generate a client certificate based on this CA.


Generate CA key & certificate - fill out the information when asked for such as country & organization name.

openssl genrsa -out MyRootCA.key 2048
openssl req -x509 -new -nodes -key MyRootCA.key -sha256 -days 1024 -out MyRootCA.pem

Generate client key & certificate signing request - fill out info
IMPORTANT: CN / Common Name should be the clients IP or FQDN

openssl genrsa -out MyClient1.key 2048
openssl req -new -key MyClient1.key -out MyClient1.csr

Generate client certificate based on our own CA certificate

openssl x509 -req -in MyClient1.csr -CA MyRootCA.pem -CAkey MyRootCA.key -CAcreateserial -out MyClient1.pem -days 1024 -sha256

  • No labels