 I have a couple of how-tos on my blog. This one here is one of them. It's a how-to that shows you how to create your own certificate with OpenSSL. Now, I've had several questions regarding this procedure since I've published it, and some of them also asked me to make a video, so that's what I'm doing here. Now, the procedure that I followed here on my how-to, it's done on Linux with OpenSSL on Linux. But I've also had a couple of questions regarding Windows, so this time I'm making the video on a Windows machine. So normally, when you're on your Linux machine, you can just type OpenSSL, and then the command will execute. If not, then you install the package through your package manager like YUM or apt-get. Here on Windows, I downloaded the binaries that were referenced on the OpenSSL page. So I downloaded and installed them using the default installs. And before I can use OpenSSL here on Windows, I also have to define two environment variables, which I'm going to do here now. So first of all, you have to point to the place where you can find the OpenSSL configuration. So this is in the OpenSSL Win32 folder bin OpenSSL.Cfg. So that's the first variable. And the second variable is the location of the RAND file. And I'm going to put it here in the demo folder.RND, like this. And now I can start OpenSSL. So OpenSSL bin OpenSSL, like this. And you can see here OpenSSL is running. So what we are going to do is create some certificates. But we are not just going to create a code signing certificate. We are going to make one with the R key and the chain and all the commands that are necessary for that. So we are going to have a root CA, a root certificate authority, and then also an intermediate authority. So the first thing we are going to do is to generate a key. So with GenRSA, I will call this CA.key and I'm going to create a 4096 bit key. Now, here this is just a demo. But if you are going to use that for production, for example, you want to protect your keys because they are very important. And then you are going to put a password on them. For example, with option this3, this will encrypt the password with the this3 algorithm. Now, in this example, I'm not going to do this. So I just issue this command. And now the private key is being generated and saved on disk with file name CA.key. So that's the first step to create a private key of our root CA. Next, I'm going to make a self-signed certificate. So I request a new X509 certificate. It will be valid for five years. So that's 1,826 days. The key that we just generated is CA.key. And the certificate can be stored in file.ca.crt. And then we have to provide some information that will be included in the certificate. So country code is belgium. The state of province name is brussels and the locality name is also brussels. As an organization name, I'm going to use the name of my company, dds-stavens-labs. I'm not going to provide a unique name. And I'm going to provide a common name. So I will just call this dds-stavens-labs.com. Like this. And as email address, I have dds-stavens-labs.com. Okay. And now we have created our self-signed certificate. If we look into the folder here, you can see the cscrt and the CA.key file that have been generated. So now I'm not up to the intermediate. So for that, we also need a key in file, intermediate authority, key file, and also 4096 bits. The key has been generated. Okay, that's done. And now we are going to create a certificate. But this time we are not going to create a self-signed certificate. We are going to create a certificate that is signed by the root authority, the one that we created first. So for that, we have to make a certificate signing request, which we do with this command. Request new. The key is the intermediate key. And out is the certificate signing request. So Belgium, Brussels, again dds-stavens-labs. The OU here, I'm going to say code signing. And the common name now is code signing dds-stavens-labs.com. Now be careful when you do that, that you don't use the same common name for your root CA and your intermediate CA. Because if you do that, you will get an error at the end. Email address dds-stavens-labs.com. And I'm not going to protect this with a password. But again, in a protection environment, you would do this with a password. No optional company name. Okay, so this is the request that had been created. And now I'm going to process that request and produced a certificate, an intermediate certificate that is signed by the root certificate authority. So it's an X519 command. I'm going to have a certificate that is valid for two years. So as input, we have the certificate request here, the CSR. We have to tell what the CA is and where the CA key is located. I'm choosing to set a serial number of 01. And finally, the name of my certificate, cia.crt, like that. And now the certificate has been created. So if you have a look here, you also have the request, the key and the certificate for the intermediate authority. Now as a last step, we are going to package all this in a PKCS12 format. So command is PKCS12. We are going to export this in file ia.p12. The input is the intermediate key. And we are going to make sure that we have a chain. So the intermediate certificate chains up to the root certificate like this. Now, since we are creating a file here that also contains a private key, again, you can protect this with a password. But I'm not going to do this here. But again, in production, it is recommended like this. So and that's all, that's to it to create your certificates. Now let's have a look here. These are all the files that I've been created. And all those files, the CRT, key, CRT, CSR, all those files are actually ASCII files. So you can have a look, cia.crt here. This is the certificate that is encoded here in base 64. And you can do that for all those files except for the PKCS12 file because that is a binary file. In Windows, you can also double click those files. So this root certificate, you can double click it like this. And then you can see the certificate here with information you see five years. You can decide to install your certificate. Here you have the details and the certification path. Same thing for the intermediate. Two years, install the certificate, details, certification path. And then here, the PKCS12 file. When you double click that, you are presented with a certificate import wizard that allows you to import the certificates and the private key into your stores so that you can use it to do code signing.