Obtaining a certificate

Certificates are files that uniquely identify people and resources on the Internet. They are required to enable secure, confidential communication between two entities.
For production purposes, it is highly recommended that you obtain a proper certificate issued by an official Certificate Authority (CA).

Certificates can be obtained from many different commercial parties. If you use certificates for other applications, you are likely already dealing with a Certificate Authority. Alternatively, you may turn to a service like Let’s Encrypt, which provides an easy way of obtaining an official certificate for free (the drawback is, you will have to renew the certificate more frequently).

Certificates are associated with a specific domain, so this will usually be handled by the person managing that domain, typically someone in your IT department.

Sometimes a server has not been added to a domain - the OL Connect Server, for example -, or a local domain is used for internal servers. In cases like these, the IT department could either manage and create their own certificates, or use self-signed certificates.

Creating self-signed certificates

Self-signed certificates are public key certificates that are not issued by a trusted certificate authority. Because of this, they are more used in testing than for actual deployment.

The easiest way to create a self-signed certificate is to simply go to an online certificate generator such as selfsignedcertificate.com. Just type a server name, domain, or even just localhost, and download the certificate and its private key.

Alternatively, you can create your own certificate locally by using OpenSSL. Getting OpenSSL may be a bit of a pain; you have to either compile it yourself, or get it from a third party that you trust. A nice source can be Git, as that has OpenSSL bundled.

Creating the certificate and private key is a single command. For example:

openssl req -x509 -sha256 -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt

Or like this, if you don’t want a password for the key file:

openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt

You could also create self-signed certificates directly with Windows PowerShell, but you would still have to use OpenSSL to extract the certificate and the corresponding key from the .pfx file that you would get from the store.

Note: Keep in mind that when using a self-signed certificate, clients (e.g. browsers) might need to be told to trust it.