====== Generate a Test Key ======

  openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout testkey.key -out testkey.crt

Informations about the used arguments from the OpenSSL man page:

  * ''[[http://www.openssl.org/docs/apps/req.html|req]]'': PKCS#10 certificate request and certificate generating utility.
  * ''[[http://www.openssl.org/docs/apps/req.html#item__x509|-x509]]'': this option outputs a self signed certificate instead of a certificate request. This is typically used to generate a test certificate or a self signed root CA. The extensions added to the certificate (if any) are specified in the configuration file. Unless specified using the set_serial option 0 will be used for the serial number.
  * ''[[http://www.openssl.org/docs/apps/req.html#item__nodes|-nodes]]'': if this option is specified then if a private key is created it will not be encrypted.
  * ''[[http://www.openssl.org/docs/apps/req.html#item__days|-days 365]]'': when the -x509 option is being used this specifies the number of days to certify the certificate for. The default is 30 days.
  * ''[[http://www.openssl.org/docs/apps/req.html#item__newkey|-newkey rsa:2048]]'': this option creates a new certificate request and a new private key. The argument takes one of several forms. rsa:nbits, where nbits is the number of bits, generates an RSA key nbits in size. If nbits is omitted, i.e. -newkey rsa specified, the default key size, specified in the configuration file is used.
  * ''[[http://www.openssl.org/docs/apps/req.html#item__keyout|-keyout testkey.key]]'': this gives the filename to write the newly created private key to. If this option is not specified then the filename present in the configuration file is used.
  * ''[[http://www.openssl.org/docs/apps/req.html#item__out|-out testkey.crt]]'': this specifies the output filename to write to or standard output by default.

Now you can pack the key into a PKCS#12 container:

  openssl pkcs12 -export -out testkey.p12 -inkey testkey.key -in testkey.crt

Informations about the used arguments from the OpenSSL man page:

  * ''[[http://www.openssl.org/docs/apps/pkcs12.html|pkcs12]]'': PKCS#12 file utility.
  * ''[[http://www.openssl.org/docs/apps/pkcs12.html#item__export|-export]]'': this option specifies that a PKCS#12 file will be created rather than parsed.
  * ''[[http://www.openssl.org/docs/apps/pkcs12.html#item__out|-out testkey.p12]]'': the filename to write certificates and private keys to, standard output by default. They are all written in PEM format.
  * ''[[http://www.openssl.org/docs/apps/pkcs12.html#item__inkey|-inkey testkey.key]]'': file to read private key from. If not present then a private key must be present in the input file.
  * ''[[http://www.openssl.org/docs/apps/pkcs12.html#item__in|-in testkey.crt]]'': this specifies filename of the PKCS#12 file to be parsed. Standard input is used by default.

{{tag>cryptography howto openssl security}}