OpenSSL & certificates

Self-signed and CA-signed certificates; notes on Let’s Encrypt and PEM/PKCS#12.

Self-signed (dev, internal)

Generate a key pair and certificate in one step (365 days, RSA 4096, no password on the key):

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes \
  -subj "/CN=myserver.example/O=Test/C=CH"

Inspect:

openssl x509 -in cert.pem -noout -text -dates

Private CA + server certificate (lab)

# CA key and CA certificate (self-signed CA)
openssl genrsa -out ca-key.pem 4096
openssl req -new -x509 -days 730 -key ca-key.pem -out ca-cert.pem \
  -subj "/CN=Demo CA/O=Test/C=CH"

# Server key and CSR
openssl genrsa -out server-key.pem 4096
openssl req -new -key server-key.pem -out server.csr \
  -subj "/CN=www.example.com/O=Test/C=CH"

# Sign CSR with CA (use openssl.cnf for SAN if needed)
openssl x509 -req -days 365 -in server.csr -CA ca-cert.pem -CAkey ca-key.pem \
  -CAcreateserial -out server-cert.pem

Public CA (Let’s Encrypt & co.)

For publicly trusted certificates use an ACME client (e.g. certbot, lego, Caddy with automatic TLS) or your hoster’s workflow. Output is usually PEM; Windows/IIS often needs PKCS#12 (.pfx) — use the “Convert formats” form here.

PEM from clipboard or file

PEM is text: copy cert.pem and paste into Analyze PEM, or load the file via “Choose file”. Same for chains with multiple BEGIN CERTIFICATE blocks.

Notes

  • Do not share private keys or PKCS#12 passwords over insecure channels.
  • Conversion on this server happens in memory only; these tools do not persist secrets.
  • openssl is available in the container; validate complex SAN profiles with a suitable openssl.cnf locally.
Documentation only