TUTORIAL: How to Generate Secure Self-Signed Server
and Client Certificates with OpenSSL
IT IS NECESSARY TO GENERATE SECURE
SELF-SIGNED SERVER AND CLIENT
CERTIFICATES
For testing purposes, it is necessary to generate secure
self-signed server and client certificates. However, I
have found that many tutorials available on the web are
complicated, and they do not cover certificates that use
safe algorithms. And so, since “necessity is the mother of
invention”, I decided to create a simple tutorial and share it
with all of you!
Why OpenSSL?
I choose to use OpenSSL because it is available on all
platforms (Linux, macOS, Windows) which means this
tutorial can be followed on any platforms.
About the Steps

While there are many steps in this process, please do not worry. My goal is to make this as simple as possible
for you, and so I have broken every action down into a single step. This way, everything should be clear,
and my hope is that you won’t waste time or get frustrated along the way. There is one requirement before
starting all of this, you’ll need to have OpenSSL. Ok, ready? Let’s get started!

Step 1 - Certificate Authority

Step 1.1 - Generate the Certificate Authority (CA) Private Key

Every certificate must have a corresponding private key. Generate this using the following command line:

This will create a 256-bit private key over an elliptic curve, which is the industry standard. We know that
Curve25519 is considered safer than this NIST P-256 curve but it is only standardized in TLS 1.3 which is not
yet widely supported.

Step 1.2 - Generate the Certificate Authority Certificate

The CA generates and issues certificates. Here is a link to additional resources if you wish to learn more
about this.

Generate the Root CA certificate using the following command line:

You will be prompted to provide some information about the CA. Here is what the request looks like:

2
Below is an example using information that is specific to Devolutions (replace with your own specific
information):

Your CA will be created once you enter your information.

Step 2: Server Certificate

This step may be repeated for each server you need.

Step 2.1 - Generate the Server Certificate Private Key

To generate the server private key, use the following command line:

This will create the file name server.key.

Step 2.2 - Generate the Server Certificate Signing Request

To generate the server certificate signing request, use the following command line:

For maximum security, we strongly recommend that the signing request should only be
generated on the server where the certificate will be installed. The server private key should
never leave the server!

3
You will be prompted to provide some information about the server certificate. You can enter the same
information you used for the CA certificate. For example:

In addition, you will be prompted to create a password. Make sure to use a long, strong, and unique
password. Here is an example (do not use this one!):

Step 2.3 - Generate the Server Certificate

You are now ready to generate the server certificate, which can be done through the following command
line:

This step should only be performed on the Certificate Authority server as the CA private key
should never leave the host where it has been generated. You must transfer the signing request
to the CA server.

Step 3: Client Certificate

This step may be repeated for each client you need.

Step 3.1 - Generate the Client Certificate Private Key

Use the following command line to create the client certificate private key:

4
This will create a file named “client1.key”.

Step 3.2 - Create the Client Certificate Signing Request

You need to create a signing request to generate a certificate with the CA. Use the following command line:

For maximum security, we strongly recommend that the certificate signing request should only
be generated on the client where the certificate will be installed. The client private key should
never leave the client!

Next, you will be prompted to submit information about the client certificate. You can enter the same
information as the CA certificate, except for the last two entries: Common Name and Email Address. These
should be the name and email of an individual and not your company. For example:

You will also be asked to set a password on the certificate signing request. Once again, make sure that you
choose a strong and safe password. Here is an example (do not use this one!):

Step 3.3 - Generate the Client Certificate

You are now ready to generate the client certificate, which can be done through the following command line:

This step should only be performed on the Certificate Authority server as the CA private key
should never leave the host where it has been generated. You must transfer the signing request
to the CA server.

We recommend generating a single certificate for each client, as this lets you quickly identify
the affected client in the event if an issue or problem. For maximum security, the client private
key should remain on the client and never be copied on another host.

5
I hope that you’ve found this tutorial simple and helpful. If you have any questions or comments, please post
your feedback below!