Self-Generated Certificate

This example shows how vendors can generate custom certificates for HTTPS Boot:

(1.) Install OpenSSL. Windows: Download and install an OpenSSL binary distribution. This document uses Win32 OpenSSL as an example. Linux (Ubuntu as example): sudo apt-get install openssl

(2.) Create a self-signed CA Certificate: Note: (Use type command instead of cat in Windows) in the following examples

openssl req -new -sha256 -keyout rootkey.pem -out rootreq.pem -days 3650
openssl x509 -req -in rootreq.pem -sha256 -signkey rootkey.pem -out rootcert.pem -days 3650
cat rootcert.pem rootkey.pem > root.pem

(3.) Create a server certificate signed by the CA certificate:

openssl req -new -sha256 -keyout serverkey.pem -out serverreq.pem -days 3650
openssl x509 -req -in serverreq.pem -sha256 -CA root.pem -CAkey root.pem -CAcreateserial -out servercert.pem -days 3650
cat servercert.pem serverkey.pem root.pem > server.pem
openssl pkcs12 -export -in server.pem -out server.pfx

Note: The .pem file is encoded as BASE64, but only PKCS12 format key can be used when booting to a Microsoft Windows server. This requires the last step in process above, converting server.pem to server.pfx. (4.) Create a client certificate signed by the CA certificate:

openssl req -new -sha256 -keyout clientkey.pem -out clientreq.pem -days 3650
openssl x509 -req -in clientreq.pem -sha256 -CA root.pem -CAkey root.pem -CAcreateserial -out clientcert.pem -days 3650
cat clientcert.pem clientkey.pem root.pem > client.pem

Using the steps above, the required key pairs are generated as shown in Table 2:


rootkey.pem, rootcert.pem, root.pem


serverkey.pem, servercert.pem, server.pem, server.pfx


clientkey.pem, clientcert.pem, client.pem

Table 2 Key Pair

The next section demonstrates how to use ‘rootcert.pem’ and ‘server.pfx’ to enable server authentication with an unauthenticated client (one-way authentication).