Generating an SSL Certificate on Windows

OpenSSL executable

Find the openssl.exe file in “\Git\mingw64\bin” which you can add to the system PATH environment variable if it’s not already done.

  1. open system properties 
  2. click on environment variables
  3. edit the path under the system variables and add the “C:\Program Files\Git\mingw64\bin” edit the path to match your computer path and click ok

The Three Steps To Become Your Own Certificate Authority in Windows 10

Step 1 – Create a Private Key

In these steps, you will create a root SSL certificate that you can use to sign as many local development sites as you need.

You only need to do this first part once.

Once your root SSL is added to Windows 10, you can skip to issuing certificates for all your new local domains.

create a folder called SSL under user->username->SSL

open your command prompt and navigate to that SSL folder and follow the below instructions

Type in the following command and enter a password for the private key.

openssl genrsa -des3 -out rootSSL.key 2048

Certificate Authority Step 1

Step 2 – Create the Certificate File

In this step, we are going to create a certificate file called rootSSL.pem from the private key we created in the previous step.

Note: you can choose to create a certificate file that lasts for X number of days. We’re going to choose 3000 days in this example, but you can select any amount – the longer, the better.

Type in the following command:

openssl req -x509 -new -nodes -key rootSSL.key -sha256 -days 1024 -out rootSSL.pem
Certificate Authority Step 1

Enter the password for the root SSL key we created in step 1.

Then, enter the information to insert in the SSL certificate:

  • Two letter Country code: I use “Ca” for Canada.
  • Your state or province: I use “Ontario”.
  • Your city: I use “Ottawa”.
  • An organisation name: I use “impressto”.
  • An organisational unit name: I use “Development”.
  • A common name such as the server name or the fully qualified .domain name : I use “impressto.localhost”.
  • An admin email address: I use myimpresstoemailaddress.
certificate authority step 2

You don’t have to put your legit information in here as we’re only running SSL certificates on the local development environment, but I like to do it properly.

Step 3 – Get Windows to Trust the Certificate Authority (CA)

We are going to use the Microsoft Management Console (MMC) to trust the root SSL certificate.

  • Step 1 – Press the Windows key + R
  • Step 2 – Type “MMC” and click “OK”
  • Step 3 – Go to “File > Add/Remove Snap-in”
  • Step 4 – Click “Certificates” and “Add”
  • Step 5 – Select “Computer Account” and click “Next”
  • Step 6 – Select “Local Computer” then click “Finish”
  • Step 7 – Click “OK” to go back to the MMC window
  • Step 8 – Double-click “Certificates (local computer)” to expand the view
  • Step 9 – Select “Trusted Root Certification Authorities”, right-click “Certificates” and select “All Tasks” then “Import”
  • Step 10 – Click “Next” then Browse and locate the “rootSSL.pem” file we created in step 2
  • Step 11 – Select “Place all certificates in the following store” and select the “Trusted Root Certification Authorities store”. Click “Next” then click “Finish” to complete the wizard.

Browse the certificates to see yours in the list.

Now you can start issuing SSL certificates for all your local domains.

Create a Private Key for the New Domain

We’re going to create a file called “impressto.localhost.key” which contains the private key information for that domain.

In the same administrator command window type the following:

openssl req -new -sha256 -nodes -out impressto.localhost.csr -newkey rsa:2048 -keyout impressto.localhost.key
 -subj "/C=AU/ST=NSW/L=Sydney/O=Client One/OU=Dev/CN=client-1/"
generate private key for local domain

When you are issuing certificates for your own local domains, replace “client-1.local” with your local server domain name.

You can also change the “-subj” parameter to reflect your country, state, location etc.

Issue the New Certificate Using the Root SSL Certificate

In the same administrator command window type the following:

openssl x509 -req -in impressto.localhost.csr -CA rootSSL.pem -CAkey rootSSL.key -CAcreateserial -out
 impressto.localhost.crt -days 1000 -sha256 -extensions "authorityKeyIdentifier=keyid,issuer\n 
basicConstraints=CA:FALSE\n keyUsage = digitalSignature, nonRepudiation, keyEncipherment
, dataEncipherment\n  subjectAltName=DNS:client-1.local"

When you are issuing certificates for your own local domains, replace “client-1.local” with your local server domain name.

Enter the password for the root SSL certificate when prompted.

final step - certificate issued

You can see all the files we have created; “impressto.localhost.crt” and “impressto.localhost.key” are the files you will need to add to your web server configuration for the local development site.

Using the New Local Domain Certificates in Your Web Server

The final part of this process is to add the certificate files to your web server’s website configuration for impressto.localhost.

Here is an example of using the keys in SSL server block.

Locate your httpd-vhosts.conf file and within the server block where you define the local development site, add the lines:

SSLEngine on
SSLCertificateFile C:\Users\kizpa\SSL\impressto.localhost.crt
SSLCertificateKeyFile C:\Users\kizpa\SSL\impressto.localhost.key

Restart APache and you are now set

Goodluck !