Not able to generate certificate for localhost

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: locahost

I ran this command:

openssl req -x509 -out localhost.crt -keyout localhost.key \
  -newkey rsa:2048 -nodes -sha256 \
  -subj '/CN=localhost' -extensions EXT -config <( \
   printf "[dn]\nCN=localhost\n[req]\ndistinguished_name = dn\n[EXT]\nsubjectAltName=DNS:localhost\nkeyUsage=digitalSignature\nextendedKeyUsage=serverAuth")

It produced this output:

C:\WINDOWS\system32>openssl req -x509 -out localhost.crt -keyout localhost.key
‘openssl’ is not recognized as an internal or external command,
operable program or batch file.

C:\WINDOWS\system32> -newkey rsa:2048 -nodes -sha256
‘-newkey’ is not recognized as an internal or external command,
operable program or batch file.

C:\WINDOWS\system32> -subj ‘/CN=localhost’ -extensions EXT -config <(
The system cannot find the file specified.

C:\WINDOWS\system32> printf “[dn]\nCN=localhost\n[req]\ndistinguished_name = dn\n[EXT]\nsubjectAltName=DNS:localhost\nkeyUsage=digitalSignature\nextendedKeyUsage=serverAuth”)

My web server is (include version):
Tomcat 9.0.29

The operating system my web server runs on is (include version):
Windows 10

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):
I use Windows 10 administrator command prompt

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no.
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

Hi @tangara,

Did you do anything first to install OpenSSL on your system? I’m not 100% sure of this because I don’t use Windows, but I don’t think OpenSSL comes preinstalled on Windows systems, but rather has to be downloaded and installed separately. The error you got has two parts:

(1) It looks like your system couldn’t find OpenSSL installed at all, so it needs to be installed.

(2) Also, it looks like you pasted a single-line command as multiple lines, so the lines after the first were incorrectly interpreted as separate commands. While the backslashes (\) at the end of each line were meant to prevent that outcome, it seems they don’t have the intended effect. I see three or four indications that the command that you followed was designed for a Unix rather than a Windows environment; is it possible that you’re following a Unix-specific tutorial rather than one that includes relevant information for a Windows system? (For example, OpenSSL usually is preinstalled on most Unix systems and so there wouldn’t need to be a separate installation step for most Unix users.)

hi schoen, I have followed this tutorial which is windows based :https://tecadmin.net/install-openssl-on-windows/

I can’t get Linux installed in this Windows OS computer so I have to content with still using it…

Could you let me know the command to generate the certificate then?

Hi @tangara

there is one missing step in that tutorial.

If you create a new environment variable, you have to logout / login or reboot your Windows. So that variable works.

Use

set path

in a CommandBox to see, if the new path is active.

Or use

cd yourPath

to go to that directory.

I have done all that already. Because the steps are quite clear. But, I am still not able to generate the certificate.

You’re trying to get a Let’s Encrypt certificate for localhost? That won’t ever work–Let’s Encrypt only issues certs for public domain names.

Could you let me know why this appeared in Let’sEncrypt site :https://letsencrypt.org/docs/certificates-for-localhost/

That’s a self signed certificate, not a public trusted certificate.

But there you find the Linux command, may not work under Windows.

Remove the

\

and write the command in one line.

I did that but now there is a new error:

C:\Program Files\OpenSSL-Win64\bin>openssl req -x509 -out localhost.crt -keyout localhost.key
Generating a RSA private key
…+++++
…+++++
writing new private key to ‘localhost.key’
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
Verify failure
4156:error:2807106B:UI routines:UI_process:processing error:crypto\ui\ui_lib.c:545:while reading strings
4156:error:0906406D:PEM routines:PEM_def_callback:problems getting password:crypto\pem\pem_lib.c:59:
4156:error:0907E06F:PEM routines:do_pk8pkey:read key:crypto\pem\pem_pk8.c:83:

How to resolve the error ?

@tangara, that error is caused when the password you entered the second time didn’t match the password you entered the first time.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.