Generating an Encrypted Private Key and Self-Signed Public Certificate

This article discusses how to generate an encrypted private key and public certificate pair that is suitable for use with HTTPS, FTPS, and the administrative port for EFT Server. (To generate an unencrypted key/certificate pair, refer to Generating an Unencrypted Private Key and Self-Signed Public Certificate.)

General Information

Each of the above combinations uses RSA key exchange; therefore, RSA based key/certificates must be used.

Procedure

These instructions assume you have downloaded and installed the Windows binary distribution of OpenSSL. Refer to Using OpenSSL for the general instructions

  1. Generate an unencrypted RSA private key:

  2. >C:\Openssl\bin\openssl.exe genrsa -out <Key Filename> <Key Size>

    Where:

    For example, type:

    >C:\Openssl\bin\openssl.exe genrsa -out my_key.key 2048

  3. Encrypted the unencrypted private key:

  4. >C:\Openssl\bin\openssl.exe pkcs8 -v1 PBE-SHA1-3DES -topk8 -in <Unencrypted Key Filename> -out <Encrypted Key Filename>

    Where:

    For example, type:

    >C:\Openssl\bin\openssl.exe pkcs8 -v1 PBE-SHA1-3DES -topk8 -in my_key.key -out my_encrypted_key.key

  5. Delete the unencrypted private key.

  6. Generate a Certificate Signing Request:

  7. In version 0.9.8g:

    >C:\Openssl\bin\openssl.exe req -new -key <Encrypted Key Filename> -out <Request Filename> -config C:\Openssl\bin\openssl.cnf

    -OR-

    In version 0.9.8h and later:

    >C:\Openssl\bin\openssl.exe req -new -key <Encrypted Key Filename> -out <Request Filename> -config C:\Openssl\bin\openssl.cfg

    Where:

    For example, type:

    >C:\Openssl\bin\openssl.exe req -new -key my_encrypted_key.key -out my_request.csr -config C:\Openssl\bin\openssl.cnf

  8. Follow the on-screen prompts for the required certificate request information.

  9. Generate a self-signed public certificate based on the request:

  10. >C:\Openssl\bin\openssl.exe x509 -req -days 3650 -in <Request Filename> -signkey <Encrypted Key Filename> -out <Certificate Filename>

    Where:

    For example, type:

    >C:\Openssl\bin\openssl.exe x509 -req -days 3650 -in my_request.csr -signkey my_encrypted_key.key -out my_cert.crt

  11. (Optional) You may now delete the request file, as it is no longer needed.

The resulting encrypted private key file and public certificate file can now be used with EFT Server.