A Complete Guide to Generating Self-Signed Certificates on Windows

In modern web development, understanding the "Chain of Trust" is essential. Whether you are securing a local microservice architecture or configuring an ASP.NET Core Kestrel server, mastering certificate management is a core skill for any senior developer.

This guide provides a comprehensive, step-by-step workflow for setting up OpenSSL, generating certificates, and bundling them for .NET applications.

Part 1: Environment Setup

To generate certificates, you need the OpenSSL toolkit. On Windows, the most efficient way to manage this is via the Windows Package Manager (winget).

1. Installation

Open PowerShell as an Administrator and run:

1. winget install: The command to download and install packages.
2. OpenSSL.Light: The lightweight version of OpenSSL, containing only the binaries needed for certificate management.

2. Verifying the Installation

Restart your terminal to refresh environment variables, then run:

1. openssl: Calls the OpenSSL tool.
2. version: Displays the currently installed version (e.g., OpenSSL 3.x.x) to confirm the system path is configured correctly.

Part 2: The Step-by-Step Generation Workflow

Step 1: Generate the Private Key

The private key is the foundation of your security. It is used to sign requests and decrypt traffic.

1. genrsa: Tells OpenSSL to generate an RSA private key.
2. -out localhost.key: Specifies the filename where the key will be saved.
3. 2048: Sets the key length to 2048 bits, which is the current industry standard for security.

Step 2: Create the Certificate Signing Request (CSR)

The CSR defines the identity of the certificate. It acts as an "application" for a certificate.

1. req: Invokes the PKCS#10 X.509 Certificate Signing Request (CSR) management tool.
2. -new: Generates a new request.
3. -key localhost.key: Tells the tool to use the private key you created in Step 1 to sign this request.
4. -out localhost.csr: Specifies the name of the output request file.

Step 3: Generate the Self-Signed Certificate (.crt)

This command takes your CSR and "signs" it using your own Private Key, effectively making you your own Certificate Authority.

1. x509: Refers to the X.509 standard for public key certificates. This command is used for signing and displaying certificates.
2. -req: Indicates that the input is a certificate request (CSR) rather than an existing certificate.
3. -days 365: Sets the expiration date. The certificate will be valid for one year.
4. -in localhost.csr: The input file to be signed.
5. -signkey localhost.key: Instructs OpenSSL to use your private key to sign the certificate (making it "self-signed").
6. -out localhost.crt: The name of the resulting public certificate file.

Step 4: Create the PFX Bundle for .NET

ASP.NET Core (Kestrel) requires a .pfx file because it bundles the private key and public certificate into a single, password-protected file.

1. pkcs12: Refers to the PKCS #12 standard, used for storing cryptographic objects (keys and certificates).
2. -export: Tells the tool to create (export) a new archive file.
3. -out localhost.pfx: The name of the final bundle file.
4. -inkey localhost.key: The private key to be included in the bundle.
5. -in localhost.crt: The public certificate to be included in the bundle.

Part 3: Making Windows Trust Your Certificate

Windows will initially mark your self-signed certificate as "Not Secure." To fix this, you must move it to the Trusted Root store:

1. Press Win + R, type certlm.msc, and hit Enter.
2. Navigate to Trusted Root Certification Authorities > Certificates.
3. Right-click the Certificates folder -> All Tasks -> Import.
4. Browse for your localhost.crt file and complete the wizard.
5. Restart your browser.

Quick Reference Summary

Asp.Net Core ( docker-compose.yml)

Asp.Net Core ( docker-compose.ovverride.yml)