How do I convert a .crt file to PFX using OpenSSL?
How do I generate a self-signed certificate with SAN for localhost?
How do I convert PFX to PEM for Nginx or Apache?
Videos
You can do that in one command:
# Interactive
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365
# Non-interactive and 10 years expiration
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 3650 -nodes -subj "/C=XX/ST=StateName/L=CityName/O=CompanyName/OU=CompanySectionName/CN=CommonNameOrHostname"
You can also add -nodes (short for "no DES") if you don't want to protect your private key with a passphrase. Otherwise, it will prompt you for "at least a 4 character" password.
The days parameter (365) you can replace with any number to affect the expiration date. It will then prompt you for things like "Country Name", but you can just hit Enter and accept the defaults.
Add -subj '/CN=localhost' to suppress questions about the contents of the certificate (replace localhost with your desired domain).
Self-signed certificates are not validated with any third party, unless you import them to the browsers previously. If you need more security, you should use a certificate signed by a certificate authority (CA).
As of 2025 with OpenSSL โฅ 3.0, the following command serves all your needs, including Subject Alternate Name (SAN):
openssl req -x509 -newkey ed25519 -days 3650 \
-noenc -keyout example.com.key -out example.com.crt -subj "/CN=example.com" \
-addext "subjectAltName=DNS:example.com,DNS:*.example.com,IP:10.0.0.1"
If you prefer a different crypto algorithm, you can replace -newkey ed25519 with one of:
-newkey rsa:4096 -sha512(if you need to support old browsers, or if you simply prefer RSA over ECC)-newkey ec -pkeyopt ec_paramgen_curve:secp384r1(if you prefer classic ECC)-newkey ed448(perhaps for the future, as ED448 is stronger than ED25519, but not supported by the browsers as of 2025)
On older systems with OpenSSL < 3.0, you need to replace -noenc with:
-nodes
On even older systems with OpenSSL < 1.1.1, such as Debian โค 9 or CentOS โค 7, a longer version of this command needs to be used, and some modern crypto algorithms such as ED25519 and ED448 are not available:
openssl req -x509 -newkey rsa:4096 -sha512 -days 3650 \
-nodes -keyout example.com.key -out example.com.crt -extensions san -config \
<(echo "[req]";
echo distinguished_name=req;
echo "[san]";
echo subjectAltName=DNS:example.com,DNS:*.example.com,IP:10.0.0.1
) \
-subj "/CN=example.com"
Each of the above commands creates a certificate that is
- valid for the domain
example.com(SAN), - also valid for the wildcard domain
*.example.com(SAN), - also valid for the IP address
10.0.0.1(SAN), - very strong (as of 2025) and
- valid for
3650days (~10 years).
The following files are generated:
- Private key:
example.com.key - Certificate:
example.com.crt
All information is provided at the command line. There is no interactive input that annoys you. There are no config files you have to mess around with. All necessary steps are executed by a single OpenSSL invocation: from private key generation up to the self-signed certificate.
Remark #1: Crypto parameters
Since the certificate is self-signed and needs to be accepted by users manually, it doesn't make sense to use a short expiration or weak cryptography.
In the future, there might be even better crypto algorithms, but as of 2025, ED448 is a very good choice. It is very strong and supported by all modern browsers.
Remark #2: Parameter "-noenc"
Theoretically you could leave out the -noenc parameter (formerly -nodes which meant "no DES encryption"), in which case example.key would be encrypted with a password. However, this is almost never useful for a server installation, because you would either have to store the password on the server as well, or you'd have to enter it manually on each reboot.
Remark #3: See also
Provide subjectAltName to openssl directly on command line
How to add multiple email addresses to an SSL certificate via the command line?
More information about MSYS_NO_PATHCONV
Hello everyone,
as the title says I need to find a trustworthy online CSR Generator.Unfortunately I absolutely have to use one and can't just use my Exchange or ISA Proxy to create a CSR.As in a online generator that doesn't require me to actually use a internal server to create the request. One where I manually set everything.
Thanks in advance and I hope this is the right subreddit for asking this. If not my apologies in advance.
I know that it's not particularly safe, just don't have any other options.