Creating a self-signed certificate

In certain contexts, obtaining a certificate from a third-party certificate authority (CA) is unnecessary. In these cases, you can create a self-signed certificate.

About this task

A self-signed certificate consists of a public/private key pair and a certificate for the public key that is signed by the private key. It is also known as a root certificate because it can be used to create a Certificate Authority.

Self-signed certificates can also be used in simple scenarios when both the client and the server are known to each other and can exchange certificates securely out-of-band.

The following steps describe how to create a self-signed certificate with the OpenSSL toolkit and openssl commands. However, you can use a different key management tool of your choice.

To generate a self-signed certificate:


  1. Open the openssl command line to create and initialize a new PKCS12 key store.
  2. Create a new self-signed certificate:
    openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes -subj /
  3. Create a PKCS12 file :
    openssl pkcs12 -export -in cert.pem -inkey key.pem -out myfile.p12 -name "Alias of cert"