These steps can be used to create a self signed certificate authority.
The below steps are to generate the CA.
First generate the private key for the CA.
To generate an elliptic curve key:
openssl ecparam -name prime256v1 -genkey -noout -out key.pem
Or for RSA:
openssl genrsa 2048 -noout -out key.pem
Generate the CA certificate using the key created in previous step:
openssl req -x509 -sha256 -new -nodes -key key.pem -days 3650 -out CA.pem
You will then be left with two files:
CA.pem: The actual CA certificatekey.pem: The private key for the CAIf the CA certififcate needs to be exported in PKCS#12 format:
openssl pkcs12 -export -out CA.pfx -in CA.pem -inkey key.pem
These steps are used to create the certificate that will be used by the clients and/or servers.
As with the CA, create a private key for the client/server:
openssl ecparam -name prime256v1 -genkey -noout -out client-key.pem
Or for RSA:
openssl genrsa 2048 -noout -out client-key.pem
Create a certificate request for the client using the key that was generated:
openssl req -new \
-key client-key.pem \
-out client-req.pem
Generate the certificate:
openssl x509 -req -days 3650 -set_serial 01 \
-in client-req.pem \
-out client-cert.pem \
-CA CA.pem \
-CAkey key.pem