How to create a public / private key pair using OpenSSL on Windows

Home > Search > How-to

A trusted certificate will be one that we will buy from a trusted CA (certificate authority) such as However, for non-production applications we can make our own self-signed certificate. The reason we want an SSL Certificate is so that the packets that are transmitted between the server and clients over the Internet are encrypted.  This way, if a hacker captures the traffic, the packets will be encrypted, and the hacker should not be able to decrypt the packets. If OpenSSL is not installed, install OpenSSL.

When creating a public/private key pair, we want to create three files:

  • Public certificate file ( C:\Program Files\GnuWin32\share\certs\
  • Certificate Signing Request (CSR) file ( C:\Program Files\GnuWin32\share\misc\
  • Private key file ( C:\Program Files\GnuWin32\share\private\


Private key (aka Client certificate)

Using Command Line, change to the directory that contains the openssl.exe program:

cd "C:\program files\gnuwin32\bin\"


Start OpenSSL:



Display the current version of OpenSSL:

OpenSSL> version
OpenSSL 0.9.8h 28 May 2008


Use this command to create a private key. This will create a file named

OpenSSL> genrsa -out C:\Program Files\GnuWin32\share\private\ 2048



Certificate Signing Request (CSR) file

Let's create the certificate signing request file. This will create a file named The file is used to sign the (public key) file. Move the the /etc/pki/tls directory, and then create the CSR file. When using this command, issue the command as one long string. I just placed every option on a new line to make it easier to read and understand.

OpenSSL> req -new -key C:\Program Files\GnuWin32\share\misc\ -out

There will be a series of prompts.

Area Example Description
Country Name US United States
State/Province FL Florida
Locality Name Miami City
Organization Name Acme Widgets Company name
Organization Unit Name Acem Widgets Company name
Common Name Domain name
Email Address Admin email

It is important to ensure that mail or ftp or www and .com are used in the common name.  When requesting an HTTPS page from a remote network, the certificate, private key, and ssl.conf must have www and .com.


Public certificate (aka Server certificate)

Use this command a self signed public key. The public key is signed using the CSR file.

OpenSSL> x509 -req -days 365 -in C:\Program Files\GnuWin32\share\misc\ -signkey C:\Program Files\GnuWin32\share\misc\ -out C:\Program Files\GnuWin32\share\certs\



Add a Comment

We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.

Please enter in the box below so that we can be sure you are a human.