Generating a PKCS#12 Private Key and Public Certificate

This article discusses how to generate a PKCS#12 private key and public certificate file that is suitable for use with HTTPS, FTPS, and the administrative port for Secure FTP Server-FIPS. (To convert an incompatible PKCS#12 format file, refer to Converting an Incompatible PKCS#12 Format File to a Compatible PKCS#12.)

General Information

Each of the above combinations uses RSA key exchange; therefore, RSA based key/certificates must be used.


These instructions assume you have downloaded and installed the Windows binary distribution of OpenSSL. Refer to Using OpenSSL for the general instructions

  1. Generate an RSA private key:

  2. >C:\Openssl\bin\openssl.exe genrsa -out <Key Filename> <Key Size>


    For example, type:

    >C:\Openssl\bin\openssl.exe genrsa -out my_key.key 2048

  3. Generate a Certificate Signing Request:

  4. In version 0.9.8g:

    >C:\Openssl\bin\openssl.exe req -new -key <Key Filename> -out <Request Filename> -config C:\Openssl\bin\openssl.cnf


    In version 0.9.8h and later:

    >C:\Openssl\bin\openssl.exe req -new -key <Key Filename> -out <Request Filename> -config C:\Openssl\bin\openssl.cfg


    For example, type:

    >C:\Openssl\bin\openssl.exe req -new -key my_key.key -out my_request.csr -config C:\Openssl\bin\openssl.cnf

  5. Follow the on-screen prompts for the required certificate request information.

  6. Generate a self-signed public certificate based on the request

  7. >C:\Openssl\bin\openssl.exe x509 -req -days 3650 -in <Request Filename> -signkey <Key Filename> -out <Certificate Filename>


    For example, type:

    >C:\Openssl\bin\openssl.exe x509 -req -days 3650 -in my_request.csr -signkey my_key.key -out my_cert.crt

  8. Generate a PKCS#12 file:

  9. >C:\Openssl\bin\openssl.exe pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -in <Public Certificate Filename> -inkey <Private Key Filename> -out <PKCS#12 Filename> -name "<Display Name>"


    For example, type:

    >C:\Openssl\bin\openssl.exe pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -in my_cert.crt -inkey my_key.key -out my_pkcs12.pfx -name "my-name"

  10. (Optional) Delete unneeded files. At this point, you only need the PKCS#12 format file, so you can delete the certificate signing request (.csr) file, the private key (.key) file, and the public certificate (.crt) file.

The resulting PKCS#12 format file may now be used within Secure FTP Server - FIPS.