Skip to content

Obtain SSL/TLS Certificates

You can obtain the SSL/TLS certificate in the following two ways:

  1. Self-signed certificate: It means using a certificate that is issued by yourself. However, self-signed certificates have many security risks and are only recommended for testing and verification environments.
  2. Apply or purchase a certificate: You can apply for a free certificate from Let's Encrypt or cloud vendors such as Huawei Cloud and Tencent Cloud, or purchase a paid certificate from organizations such as DigiCert. For enterprise users, it is generally recommended to apply for paid OV or above certificates to obtain a higher level of security protection.

This page introduces how to create self-signed Certificate Authority (CA) certificates to issue server and client certificates.

Create Self-Signed CA Certificates


OpenSSL is installed.

  1. Run the following command to generate a key pair. The command will prompt you to enter a password to protect the key, which will be required for generating, issuing, and verifying the certificate. Keep the key and password secure.

    openssl genrsa -des3 -out rootCA.key 2048
  2. Run the following command to generate a CA certificate using the private key from the key pair. The command will prompt you to set the certificate's Distinguished Name (DN).

    openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 3650 -out rootCA.crt

Issue Server Certificates

Use the CA certificate you just generated to issue a server certificate, which is used to verify the identity of the server owner. The server certificate is usually issued to the hostname, server name, or domain name (such as We need to use the CA key (rootCA.key), CA certificate (rootCA.crt), and server Certificate Signing Request (CSR) (server.csr) to generate the server certificate.

  1. Run the following command to generate a key pair for the server certificate:

    openssl genrsa -out server.key 2048
  2. Run the following command to create a CSR using the server key pair. After the CSR is signed by the CA root certificate private key, a certificate public key file can be generated and issued to the user. This command will also prompt you to set the Distinguished Name (DN) for the certificate.

    openssl req -new -key server.key -out server.csr

    The system will prompt the following information, with corresponding meanings explained as below:

    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    Country Name (2 letter code) [AU]: # country/region
    State or Province Name (full name) [Some-State]: # state/province
    Locality Name (eg, city) []: # The city or locality
    Organization Name (eg, company) [Internet Widgits Pty Ltd]: # The full name of the organization (or company name), e.g. EMQ
    Organizational Unit Name (eg, section) []: # The name of the department or division within the organization,e.g. EMQX
    Common Name (e.g. server FQDN or YOUR name) []: # The fully-qualified domain name (FQDN) of the server that will use the certificate, e.g.
  3. Use the server CSR to generate the server certificate and specify the validity period of the certificate, which is set to 365 days in this case:

    openssl x509 -req -in server.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out server.crt -days 365

    You now have a set of certificates.

    ├── rootCA.crt
    ├── rootCA.key
    ├── server.crt
    ├── server.csr
    └── server.key

Issue Client Certificates

The steps for issuing client certificates are similar to those for issuing server certificates. The only difference is that when creating the CSR, the Common Name should be set to a unique identifier for the client, such as a username, client ID, etc.

The client certificate is signed using the same CA certificate as the server certificate. Therefore, the client certificate can also be signed with the aforementioned CA certificate.

Next Step

Once you obtain the SSL/TLS certificates, you can enable the client's SSL/TLS connections. You can also update the certificates when they are expired.