How-to guide

Create a self-signed certificate with OpenSSL on Windows

Self-signed certificates are useful for local development, internal services and testing TLS without a CA. This guide covers the fastest one-command method, SAN extensions required by modern browsers, and how to trust the cert in Windows.

Self-signed certificates are not trusted by browsers or clients by default. They are appropriate for development, internal tools and testing — not for public-facing production sites.
Fastest method

One command: key + self-signed cert

This creates a 2048-bit RSA key and a self-signed certificate valid for 365 days in one step:

cmd.exe
C:\certs> openssl req -x509 -newkey rsa:2048 -nodes -keyout key.pem -out cert.pem -days 365
Generating a RSA private key
..........+++
Country Name (2 letter code) [AU]: US
Common Name []: localhost
...

Output: key.pem (private key) and cert.pem (self-signed certificate).

Non-interactive

One-liner without prompts

Pass all subject fields with -subj for use in scripts or CI pipelines:

cmd.exe
C:\certs> openssl req -x509 -newkey rsa:2048 -nodes ^
-keyout key.pem -out cert.pem -days 365 ^
-subj "/C=US/ST=CA/O=Dev/CN=localhost"

In PowerShell replace ^ with a backtick ` for line continuation.

With SAN — required by Chrome/Firefox

Self-signed cert with Subject Alternative Names

Modern browsers require SAN extensions. Without them you will see certificate errors even after trusting the cert. Create a config file cert.cnf:

cert.cnf
[req]
default_bits = 2048
prompt = no
distinguished_name = dn
x509_extensions = v3_req
[dn]
C = US
O = Dev
CN = localhost
[v3_req]
subjectAltName = @alt_names
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
[alt_names]
DNS.1 = localhost
DNS.2 = 127.0.0.1
IP.1 = 127.0.0.1

Then generate the certificate:

cmd.exe
C:\certs> openssl req -x509 -newkey rsa:2048 -nodes -keyout key.pem -out cert.pem -days 365 -config cert.cnf
Trust on Windows

Add the certificate to Windows trusted roots

To avoid browser warnings on your local machine, import the cert into the Windows Trusted Root store:

PowerShell — admin
PS> Import-Certificate -FilePath .\cert.pem -CertStoreLocation Cert:\LocalMachine\Root

Or via GUI: double-click cert.pemInstall CertificateLocal MachineTrusted Root Certification Authorities.

This only removes the browser warning on your machine. Other machines will still see the warning unless you import the cert there too.
Verify

Inspect the certificate

cmd.exe
# View certificate details:
C:\certs> openssl x509 -in cert.pem -noout -text
Certificate:
Data:
Validity
Not Before: May 20 00:00:00 2026 GMT
Not After : May 20 00:00:00 2027 GMT
Subject: C=US, O=Dev, CN=localhost
# Check expiry date only:
C:\certs> openssl x509 -in cert.pem -noout -dates
notBefore=May 20 00:00:00 2026 GMT
notAfter=May 20 00:00:00 2027 GMT
FAQ

Self-signed cert questions

Why does Chrome still show a warning after trusting the cert?
Chrome requires Subject Alternative Names (SAN). A cert with only a Common Name (CN) will show a warning regardless of trust. Regenerate the cert with a SAN config as shown above.
How do I renew a self-signed certificate?
Rerun the generation command with a new expiry: -days 365. If you want to keep the same key, use the two-step method: openssl x509 -req -in request.csr -signkey key.pem -out cert.pem -days 365.
What is the difference between -x509 and a CA-signed cert?
The -x509 flag makes OpenSSL sign the certificate itself with the same key, creating a self-signed cert. A CA-signed cert is signed by a trusted Certificate Authority — browsers trust it automatically without any import step.
Can I use the cert for multiple domains?
Yes — add multiple DNS.N entries to the [alt_names] section in the config file. Each entry covers one domain or subdomain.

Need a CA-signed certificate?

Generate a CSR and submit it to a public CA like Let's Encrypt.

Generate CSR guide →

Related guides

Generate RSA key →
create the key first
Generate CSR →
for CA-signed certs
Check certificate →
inspect the result