User Tools

Site Tools

Please note, that this is an old archived version of this site. Check out the new version at!

Generate a Test Key

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout testkey.key -out testkey.crt

Informations about the used arguments from the OpenSSL man page:

  • req: PKCS#10 certificate request and certificate generating utility.
  • -x509: this option outputs a self signed certificate instead of a certificate request. This is typically used to generate a test certificate or a self signed root CA. The extensions added to the certificate (if any) are specified in the configuration file. Unless specified using the set_serial option 0 will be used for the serial number.
  • -nodes: if this option is specified then if a private key is created it will not be encrypted.
  • -days 365: when the -x509 option is being used this specifies the number of days to certify the certificate for. The default is 30 days.
  • -newkey rsa:2048: this option creates a new certificate request and a new private key. The argument takes one of several forms. rsa:nbits, where nbits is the number of bits, generates an RSA key nbits in size. If nbits is omitted, i.e. -newkey rsa specified, the default key size, specified in the configuration file is used.
  • -keyout testkey.key: this gives the filename to write the newly created private key to. If this option is not specified then the filename present in the configuration file is used.
  • -out testkey.crt: this specifies the output filename to write to or standard output by default.

Now you can pack the key into a PKCS#12 container:

openssl pkcs12 -export -out testkey.p12 -inkey testkey.key -in testkey.crt

Informations about the used arguments from the OpenSSL man page:

  • pkcs12: PKCS#12 file utility.
  • -export: this option specifies that a PKCS#12 file will be created rather than parsed.
  • -out testkey.p12: the filename to write certificates and private keys to, standard output by default. They are all written in PEM format.
  • -inkey testkey.key: file to read private key from. If not present then a private key must be present in the input file.
  • -in testkey.crt: this specifies filename of the PKCS#12 file to be parsed. Standard input is used by default.
info/cryptography/openssl/generate_key.txt · Last modified: 2014-11-20 08:13 by andunix