Generate a Self-Signed Certificate

Updated
  • Updated on Dec 3, 2025
  • Published on Oct 21, 2025
  • 1 minute(s) read
  • AK
  • AH
  • Kevin Lidstone
 Prev Next

To generate a self-signed certificate, execute the following commands in a terminal on a machine with OpenSSL installed:

# generate CA DER certificate and private key
openssl req -x509 -newkey rsa:2048 -keyout ca.key -out ca.crt -outform DER -days 365 -nodes

# generate TLS private key
openssl genpkey -algorithm RSA -outform DER -out tls.key -pkeyopt rsa_keygen_bits:2048

# generate certificate request for TLS certificates
openssl req -new -key tls.key -out ca.csr -outform DER

# sign TLS certificate with CA certificate
openssl x509 -req -inform DER -in ca.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out tls.crt -days 365 -outform DER

# convert certificates to PEM format needed to add to other systems trusted certificate store
openssl x509 -in ca.crt -inform DER -out ca.pem -outform PEM
openssl x509 -in tls.crt -inform DER -out tls.pem -outform PEM

© 2025 Cisco and/or its affiliates. All rights reserved.

For more information about trademarks, please visit: Cisco trademarks
For more information about legal terms, please visit: Cisco legal terms
For legal information about Accedian Skylight products, please visit: Accedian legal terms and trademarks