DEV Community

Divesh Panwar
Divesh Panwar

Posted on

Generate SSL Certs Using OpenSSL

Hi Techies, this is a quick guide to generate openSSL certificates for your websites or applications on windows and Linux.


  • openssl on Linux
  • git and git bash or after installing git add <git_installtion_directory>/usr/bin to Path environment variable on the windows machine to use git bash from cmd or powershell
  • java jdk & keytool -- if you want to generate local keystore
In case you are modifying the environment variable on windows machine close all the open cmd, powershell windows and open the fresh cmd or powershell.


  • <country_code> : like IN or PK or NZ or US
  • <STATE>: like Karnataka, Himachal
  • <CITY>: like Shimla, Banglore
  • <ORGANISATION>: like Infy
  • <ORG_UNIT>: Unit of Organization like Marketing
  • <CANONICAL_NAME>: Hostname like
  • <IP_ONE>: IP of the server you after hosting the applicatiion like
  • <IP_TWO>: In case there are more than one IPS add them seperated by comma (,)
  • <password> : password of the cert file like abc@123
  • <keystore_pass> : the password of the keystore like abc@123
  • <public_crt_file>: name of the public certificate file, you can also give the location if not in the current directory like /home/public.crt
  • <alias> : alias for keystore unique per keystore like abc
  • <nameOfKeystore>: name of the keystore file, you can also specify the location like /home/kcacerts

Commands to Generate Certificates

  • openssl req -newkey rsa:4096 -x509 -days 3650 -out server_cert.pem -keyout server_key.pem -subj "/C=<country_code>/ST=<STATE>/L=<CITY>/O=<ORGANISATION>/OU=<ORG_UNIT>/CN=<CANONICAL_NAME>" -addext "subjectAltName = IP:<IP_ONE>,IP:<IP_TWO>" -passin pass:<password> -passout pass:<password>

  • openssl rsa -in server_key.pem -out unencrypted_server_key.pem -passin pass:<password> -passout pass:<password>

  • openssl x509 -outform der -in server_cert.pem -out server_cert.crt -passin pass:<password>

  • openssl pkcs12 -export -out server.p12 -inkey server_key.pem -in server_cert.pem -passin pass:<password> -passout pass:<password>

  • openssl rsa -in server_key.pem -out private.key

  • openssl req -new -key private.key -days 3650 -out public.crt -x509 -subj "/C=<country_code>/ST=<STATE>/L=<STATE>/O=<ORGANISATION>/OU=<UNIT>/CN=<CANONICAL_NAME>" -addext "subjectAltName = IP:<IP_ONE>,IP:<IP_TWO>"

For reference

  • private.key is your private key
  • public.crt is your public certificate
  • You can rename them to anything as per the application demand
  • For example in keycloak application you need tls.crt and tls.key so you can rename public.key --> tls.key && public.crt --> tls.crt

Commands to Generate Local Keystore

  • keytool -genkeypair -dname "CN=<CANONICAL_NAME>, OU=<ORG_UNIT>, O=<ORGANISATION>, C=<COUNTRY_CODE>, L=<CITY>, ST=<STATE>" -alias localhost -keypass <keystore_pass> -storepass <keystore_pass> -keyalg RSA -keysize 2048 -keystore <nameOfKeystore>
  • keytool -import -noprompt -file <public_crt_file> -keystore kcacerts -alias <alias> -storepass <keystore_pass>

Thanks for your time. Happy Coding

Discussion (0)