How to Create a Self-signed Client Certificate with OpenSSL

Mert Ilis
3 min readOct 20, 2020

I have posted before about creating self-signed client certificates with makecert utility. Today I’d like to describe step by step how we can do it with OpenSSL.

Client certificates are essential for mutual SSL authentication. During development and testing, I usually need self-signed ones for simplicity.

First, we need to create a Root CA certificate which will be used for creating the Server and Client certificates.

To make it simple, I’ve added the passwords to the commands (with the value “changeme”)!

openssl genrsa -aes256 -passout pass:changeme -out ca.pass.key 4096

This command creates an encrypted RSA private key for CA Root.

openssl rsa -passin pass:changeme -in ca.pass.key -out ca.key

This command extracts RSA private key.

openssl req -new -x509 -days 365 -key ca.key -out ca.crt

This command creates the root certificate with the key. For this request, I supplied some dummy information for the fields Country Name, State or Province Name, Locality Name (eg, city) [Default City], Organization Name (eg, company) [Default Company Ltd], Organizational Unit Name (eg, section), Email Address.

--

--

Mert Ilis

I’m a software development enthusiast who likes trying different web technologies and adding value to his team.