Creating a self-signed PKCS#12 (.p12) certificate using OpenSSL

This article describes how to create a self-signed PKCS#12 (.p12) certificate using OpenSSL, for use with AOL Instant Messenger and Microsoft Outlook.

Frequently Asked Questions

Why use a certificate to encrypt your communications?
An average email or instant message will pass through many servers and many miles of cables before it arrives at the intended recipient. It can be read, scanned, or modified anywhere along the way. The consistent use of SSL certificates will make it more difficult for data to be compromised, and will increase the integrity of electronic communications.
Why make a self-signed certificate?
The average consumer cannot afford to buy a SSL certificate from a recognized certification authority (CA), such as Verisign or Thawte. These can cost over $400 each year. This is because they are signed by the CA, and they verify personal identity and the integrity of the certificate. For no cost, anyone can create a self signed certificate by following the steps in this tutorial.
Are self signed certificates less effective than purchased certificates?
No, all certificates use the same standardized technology, and are therefore equally effective at encrypting data. Modern certificates use technologies called Secure Socket Layer (SSL) and Transport Layer Security (TLS). These certificates were created to protect and encrypt the connection between the sender and the recipient. They were not created to verify identity, which is what purchased certificates do.
Why not use a publicly downloadable certificate?
A digital certificate is basically a neatly packaged password protected file that contains a public key and a private key. The encryption algorithm allows a computer or software program to encrypt text using the public key portion that can only be decrypted by the matching private key pair. When secured communication is desired, the program shares the public key to the other party. The other party’’s application encrypts the information with the public key and it is decrypted with the private key. This concept is known as “Public Key Cryptography”.

If everyone on the internet uses the same public- private key pair (as with AIM Encrypt), then this is not secure. All the data that is encrypted using the free certificate can be easily decrypted by anyone, even those who are not the intended recipient. It gives users a false sense of security, which is worse than no security at all.

Software Needed

Certain files are needed to create a self signed certificate. The program that is used is called OpenSSL. OpenSSL is a free, open source toolkit implementing the Secure Sockets Layer and Transport Layer Security protocols as well as a full-strength general purpose cryptography library. Basically, it is an accumulation of files that can be used together to create SSL certificates. Because this is an open source program, there are many different sources for downloading this program. This tutorial uses the download links below, and these are the links that are tested to work.

1. First, download a Win32 binary from a desired location.
Download (ZIP): Stunnel.org OpenSSL Binary (updated link)

2. Now, download the configuration file. These files are plain text, and are necessary to create a self signed certificate.
Download (ZIP): Dragotown.com OpenSSL addon files 3.18KB

3. Extract the first zip file (from Stunnel.org) into a folder. Extract the second zip file (from Dragotown.com) into the same folder. Then make sure all settings are correct so that openssl.exe and all related files can be run from within that directory.

4. Start the command line by opening the extracted folder and opening the file “openssl.exe” This will open a command prompt where the below prompts can be entered.

Command Line

1. Create a new Certificate Authority (CA).

prompt> req -new -x509 -keyout p_ca_key.pem -out ca_cert.pem -days 1024 -config openssl.cnf
Loading ''screen'' into random state - done
Generating a 1024 bit RSA private key
.......................++++++
......++++++
writing new private key to ''p_ca_key.pem''
Enter PEM pass phrase: set your CA password here
Verifying - Enter PEM pass phrase: verify your CA password here
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ''.'', the field will be left blank.
-----
Country Name (2 letter code) [US]: press Enter to use default [Required]
State or Province Name (full name) [ ]: enter your state [Required]
Locality Name (eg, city) [optional] [ ]:
Organization Name (eg, company) [ ]: enter your organization here [Required]
Organizational Unit Name (eg, section) [optional] [ ]:
Common Name (eg, YOUR name) [required] [ ]: enter your name here [Required]
Email Address [optional] [ ]: 

2. Sign X.509 certificate with self-generated CA.

prompt> x509 -in ca_cert.pem -days 1024 -out ca_cert.crt -signkey p_ca_key.pem
Loading ''screen'' into random state - done
Getting Private key
Enter pass phrase for p_ca_key.pem: enter your CA password here

3. Create a certificate request.

prompt> req -new -keyout newreq.pem -out newreq.pem -days 1024 -config openssl.cnf
Loading ''screen'' into random state - done
Generating a 1024 bit RSA private key
.......................................++++++
........++++++
writing new private key to ''newreq.pem''
Enter PEM pass phrase: set your Certificate password here (doesn't have to be same as CA password)
Verifying - Enter PEM pass phrase: verify your Certificate password here
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ''.'', the field will be left blank.
-----
Country Name (2 letter code) [US]: optional
State or Province Name (full name) [ ]: optional
Locality Name (eg, city) [optional] [ ]: optional
Organization Name (eg, company) [ ]: optional
Organizational Unit Name (eg, section) [optional] [ ]: optional
Common Name (eg, YOUR name) [required] [ ]: in AIM, shows up as "Signed By", basically it''s YOU [Required]
Email Address [optional] [ ]: optional

4. Sign your certificate with the self-created CA (Some problems may occur here; if the error “wrong number of fields on line 1″ occurs, make sure that index.txt is set at 0 bytes).

prompt> ca -config openssl.cnf -policy policy_anything -out newcert.pem -days 1024 -infiles newreq.pem
Using configuration from openssl.cnf
Loading ''screen'' into random state - done
Enter pass phrase for ./p_ca_key.pem: enter your CA password here
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Mar 9 12:37:54 2004 GMT
Not After : Dec 28 12:37:54 2006 GMT
Subject:
commonName = Secure.sylikc.NET
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
13:17:A0:8C:69:9C:EE:01:77:4F:0A:7C:1E:C2:A8:03:8B:45:33:DF
X509v3 Authority Key Identifier:
keyid:FE:E5:FC:AF:C5:D5:42:38:A4:89:87: 6B:19:6E:0F:0F:9F:33:C9:41
DirName:/C=US/ST=California/O=sylikc.NET/CN =Secure.sylikc.NET
serial:00
Certificate is to be certified until Dec 28 12:37:54 2006 GMT (1024 days)
Sign the certificate? [y/n]: y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated 

5. Create a certificate package (PKCS#12) understood by your software program (AIM/Outlook/etc). Customize the Firstname/Lastname string. Also, keep “mycert.p12″ safe; this gives full access to the data the certificate has encrypted.

prompt> pkcs12 -export -in newcert.pem -inkey newreq.pem -certfile ca_cert.crt -name "Firstname Lastname" -out mycert.p12
Loading ''screen'' into random state - done
Enter pass phrase for newreq.pem: enter your Certificate password here
Enter Export Password: set the password that will protect your PKCS#12 package here
Verifying - Enter Export Password: verify the password here

6. A new certificate (mycert.p12) has been saved in the root folder. This can now be imported into AOL Instant Messenger and Microsoft Outlook to encrypt and sign electronic messages.

Notes

The authors have no responsibility for the accuracy of this content. The authors also have no responsibility for any damage that is done to your computer as a result of the use of the files provided on this page or these instructions. You assume all responsibility for your actions as a result of these instructions.

Please note that cryptographic materials, such as OpenSSL, are illegal in some countries and localities. Please check your local laws before following any of these steps.

Read more articles regarding OpenSSL.