Self Signed Certificate with Custom Root Authority

The winpty command requires Git Bash for Windows

1. Create the Private Key for the Root Certificate

mkdir my-certs
cd my-certs
winpty openssl genrsa -out myCA.key 2048

2. Create the Root Certificate (CA)

winpty openssl req -new -x509 \
    -key myCA.key -sha256 -days 18000 \
    -out myCA.cert.pem \
    -subj "//C=US\ST=NY\L=NY\O=None\CN=Localhost Root Certificate"

3. Verify the Root Certificate

winpty openssl x509 -noout -text -in myCA.cert.pem

4. Create the Private Key for the SSL Certificate

winpty openssl genrsa -out local-web.key 2048

5. Create the Certificate Signing Request (CSR)

winpty openssl req -new -sha256 \
    -key local-web.key \
    -out local-web.csr \
    -subj "//C=US\ST=NY\L=NY\O=None\CN=localhost"

6. Create the Certificate Signed by the CA

Save the following to a file named v3.txt...

keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

DNS.1 = localhost
DNS.2 =
DNS.3 =

...and run this

winpty openssl x509 -req \
    -in local-web.csr \
    -CA myCA.cert.pem \
    -CAkey myCA.key \
    -CAcreateserial \
    -days 18000 -sha256 \
    -extfile v3.txt \
    -out local-web.crt

7. Create the PFX file

winpty openssl pkcs12 -export \
    -in local-web.crt \
    -inkey local-web.key \
    -out local-web.pfx

8. Import the myCA.cert.pem file (root certificate) into the "Trusted Root Certifications Authorities" certificate store.

9. Import the local-web.pfx file into IIS. Remember to bind the certificate to the website. I bound it to the Default Web Site. Try browsing to the website https://localhost

10. Optional. Add the following mappings to the hosts file in C:\Windows\System32\drivers\etc localhost

The following urls will now work over HTTPS:

  • https://localhost