# Create and sign an X509 certificate You can create an X509 certificate for your application with `OpenSSL`. OpenSSL is a standard, open source library that supports a wide range of cryptographic functions, including the creation and signing of x509 certificates. For more information about OpenSSL, visit [www.openssl.org](https://www.openssl.org/). **Note** You only need to create a certificate locally if you want to [use HTTPS in a single instance environment](https-singleinstance.md) or [re-encrypt on the backend](configuring-https-endtoend.md) with a self-signed certificate. If you own a domain name, you can create a certificate in AWS and use it with a load-balanced environment for free by using AWS Certificate Manager (ACM). See [Request a Certificate](https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-request.html) in the *AWS Certificate Manager User Guide* for instructions. Run `openssl version` at the command line to see if you already have OpenSSL installed. If you don't, you can build and install the source code using the instructions at the [public GitHub repository](https://github.com/openssl/openssl), or use your favorite package manager. OpenSSL is also installed on Elastic Beanstalk's Linux images, so a quick alternative is to connect to an EC2 instance in a running environment by using the [EB CLI](eb-cli3.md)'s **eb ssh** command: ``` ~/eb$ eb ssh [ec2-user@ip-255-55-55-255 ~]$ openssl version OpenSSL 1.0.1k-fips 8 Jan 2015 ``` You need to create an RSA private key to create your certificate signing request (CSR). To create your private key, use the **openssl genrsa** command: ``` [ec2-user@ip-255-55-55-255 ~]$ openssl genrsa 2048> {{privatekey.pem}} Generating RSA private key, 2048 bit long modulus .................................................................................................................................+++ ...............+++ e is 65537 (0x10001) ``` {{privatekey.pem}} The name of the file where you want to save the private key. Normally, the **openssl genrsa** command prints the private key contents to the screen, but this command pipes the output to a file. Choose any file name, and store the file in a secure place so that you can retrieve it later. If you lose your private key, you won't be able to use your certificate. A CSR is a file you send to a certificate authority (CA) to apply for a digital server certificate. To create a CSR, use the **openssl req** command: ``` $ openssl req -new -key {{privatekey.pem}} -out {{csr.pem}} You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ``` Enter the information requested and press **Enter**. The following table describes and shows examples for each field. **** | Name | Description | Example | | --- | --- | --- | | Country Name | The two-letter ISO abbreviation for your country. | US = United States | | State or Province | The name of the state or province where your organization is located. You cannot abbreviate this name. | Washington | | Locality Name | The name of the city where your organization is located. | Seattle | | Organization Name | The full legal name of your organization. Do not abbreviate your organization name. | Example Corporation | | Organizational Unit | Optional, for additional organization information. | Marketing | | Common Name | The fully qualified domain name for your web site. This must match the domain name that users see when they visit your site, otherwise certificate errors will be shown. | www.example.com | | Email address | The site administrator's email address. | someone@example.com | You can submit the signing request to a third party for signing, or sign it yourself for development and testing. Self-signed certificates can also be used for backend HTTPS between a load balancer and EC2 instances. To sign the certificate, use the **openssl x509** command. The following example uses the private key from the previous step ({{privatekey.pem}}) and the signing request ({{csr.pem}}) to create a public certificate named {{public.crt}} that is valid for {{365}} days. ``` $ openssl x509 -req -days {{365}} -in {{csr.pem}} -signkey {{privatekey.pem}} -out {{public.crt}} Signature ok subject=/C=us/ST=washington/L=seattle/O=example corporation/OU=marketing/CN=www.example.com/emailAddress=someone@example.com Getting Private key ``` Keep the private key and public certificate for later use. You can discard the signing request. Always [store the private key in a secure location](https-storingprivatekeys.md) and avoid adding it to your source code. To use the certificate with the Windows Server platform, you must convert it to a PFX format. Use the following command to create a PFX certificate from the private key and public certificate files: ``` $ openssl pkcs12 -export -out {{example.com}}.pfx -inkey {{privatekey.pem}} -in {{public.crt}} Enter Export Password: {{password}} Verifying - Enter Export Password: {{password}} ``` Now that you have a certificate, you can [upload it to IAM](configuring-https-ssl-upload.md) for use with a load balancer, or [configure the instances in your environment to terminate HTTPS](https-singleinstance.md).