SSL certificates are cool. They will be used more and more. This tutorial should be used only on development and/or test environments!

For a production environment please use the already trusted Certificate Authorities (CAs).

This key & certificate will be used to sign other self signed certificates. That will be covered in another tutorial.

here's a video:


Generate the CA key

You'll be prompted to enter a password.

openssl genrsa -des3 -out myCA.key 2048


Generate the Certificate

openssl req -x509 -new -nodes -key myCA.key -sha256 -days 3650 -out myCA.pem


3650 means that it will be valid for 10 years. Yes!

You can optionally remove the password from the key. For development purposes it would most likely be OK.


Make a backup of the original key

Linux/Mac: cp myCA.key myCA.key.with_pwd
Windows: copy myCA.key myCA.key.with_pwd

Export the CA key without a password

This is useful so you don't have to keep track of the password and/or use a script to sign self-signed SSL certificates.

openssl rsa -in myCA.key.with_pwd -out myCA.key


Convert the CA certificate from .PEM to .CRT format

openssl x509 -outform der -in myCA.pem -out myCA.crt


You may get the following errors:

How to fix OpenSSL error unable to write random state.

To fix this use this in the command line.



set RANDFILE=.rnd


export RANDFILE=.rnd


Another OpenSSL WARNING: can't open config file: /apache24/conf/openssl.cnf


This is fixable by setting an ENV variable that points to this file. I have copied this from my current Apache installation.

If you don't have it download it from this gist:

Windows: set OPENSSL_CONF=openssl.cnf

Linux: export OPENSSL_CONF=openssl.cnf