One main source of problems working with encryption is the creation of your private key and your certificate. You must create the key pair correctly, have it imported at the right place and if you just miss one important option, you can go on an endless hunt for the problem – one exception at the time.
Attention: use self-signed certificates only for testing proposes. For production, make a certificate request and get a properly signed certificate from a CA.
The certificate snap-in in mmc can create public/private key pairs. However, creating it this way means an endless list of dialog windows where you most likely miss an important setting. I tried it a few times, but whenever I needed a new certificate, I had a slightly different dialogue to work with. In my opinion, OpenSSL is a much better approach for reliable creation of certificates. The many options you have are well described in the the OpenSSL Cookbook.
Download and installation
The official site for OpenSSL lists various binary versions for Windows. The first project listed there is slproweb.com where you find the Win64 OpenSSL v1.1.1a package in the download section. The page looks old and outdated, but the binaries are frequently updated.
When the download is complete, execute the *.exe file and go through the wizard with Next.
Create your own certificate…
To create a self-signed certificate using an RSA 4096 key and the SHA256 hashing algorithm, you can run the following two commands. Be aware, you need the password you set later to import your certificate.
|
1 |
openssl req -x509 -newkey rsa:4096 -sha256 -keyout my.key -out my.crt -subj "/CN=test.com" -days 600 |
|
1 |
openssl pkcs12 -export -name “test.com” -out my.pfx -inkey my.key -in my.crt |
… and save it in the Windows key store
Open the mmc console and add the certificate snap-in for the computer. Expand the Certificate node (Certificates (Local Computer) / Personal / Certificates), right-click on certificates and select the import task:
Follow along the dialogue, select your *.pfx file and enter the password you set in the command line. In most cases it is a good idea to mark the private key as exportable:
At the end, you should see your newly created certificate among all other certificates:
Access your key
To verify that the key works as expected, you can now create a console application with this code in the main method to access the built-in Windows key store:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 |
public static void Main(string[] args) { var name = "test.com"; var store = new X509Store(StoreName.My, StoreLocation.LocalMachine); store.Open(OpenFlags.OpenExistingOnly); var collection = store.Certificates.Find(X509FindType.FindBySubjectName, name, false); store.Close(); if (collection.Count == 1) { var myCert = new X509Certificate2(collection[0]); Console.WriteLine($"Certificate '{myCert.FriendlyName}' is found"); Console.WriteLine($"Has private key? {myCert.HasPrivateKey}"); Console.WriteLine($"Private key: {myCert.PrivateKey.ToXmlString(true)}"); } else { Console.WriteLine("Certificate {0} is not found!!", name); } Console.ReadKey(); } |
If all works, you should get an output like this one:
If you get a CryptographicException with the message “Keyset does not exist” instead, check the permissions of the private key first. It may just need a simple fix as described here.
Conclusion
If you know those two OpenSSL commands, you can create as many certificates as you like. The export to pfx step is a tricky one, but as soon as you know that command as well, it is much simpler than the mmc alternative.
1 thought on “Create Self-Signed Certificates Using OpenSSL on Windows”