For most S/MIME compatible email clients, you must obtain a PKCS12 format certificate before you can upload your private key and/or others’ public key for secure email communication.

The first way you can do this is, of course, to apply such a certificate from a trusted Certificate Authority (CA), such as VeriSign. But can you do this without a CA?

Yes, it is possible for you to generate such a certificate manually using open source software. However, note that the certificate is self-signed, meaning it is signed by you as the trusted root source.

To do this, you have first to download a piece of software than can generate PCKS12 format certificates. The most common one is OpenSSL software.  You can visit this website to know more:

The original OpenSSL software is made primarily to be run on the Linux platform. As a general Windows user, you might need to use the program on a Windows platform, and may not know how to compile the source code of OpenSSL to make it run on a Windows platform. If you have this headache, you can try the Windows compatible OpenSSL work available for free here:

Upon successful installation of the software, go to the bin directory of your installation to locate the software openssl.exe that you need to use to generate PKCS12 certificate.

I followed the instructions here to create my own certificate:

I have added my own explanations and remarks and simplified a bit the process. Here are the steps:

Assume you have installed your software on the path c:\Openssl

1.    Generate a RSA Private Key in PEM format

>C:\Openssl\bin\openssl.exe genrsa -out my_key.key 2048

  • my_key.key  is the desired filename for the private key file
  • 2048  is the desired key length of either 1024, 2048, or 4096

2.    Generate a Certificate Signing Request:
>C:\Openssl\bin\openssl.exe req –new –key my_key.key –out my_request.csr

  • my_key.key is the input filename of the previously generated private key
  • my_request.csr  is the output filename of the certificate signing request

3.    Follow the on-screen prompts for the required certificate request information.
4.    Generate a self-signed public certificate based on the request.
>C:\Openssl\bin\openssl.exe x509 -req -days 3650 -in my_request.csr -signkey my_key.key -out my_cert.crt

my_request.csr  is the input filename of the certificate signing request
my_key.key is the input filename of the previously generated private key
my_cert.crt  is the output filename of the public certificate
3650 are the duration of validity of the certificate. In this case, it is 10 years (10 x 365 days)
x509 is the X.509 Certificate Standard that we normally use in S/MIME communication

This essentially signs your own public certificate with your own private key. In this process, you are now acting as the CA yourself!
5.    Generate a PKCS#12 file:
>C:\Openssl\bin\openssl.exe pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -in my_cert.crt -inkey my_key.key -out my_pkcs12.pfx -name “my-name”

  • my_cert.crt  is the input filename of the public certificate, in PEM format
  • my_key.key  is the input filename of the private key
  • my_pkcs12.pfx  is the output filename of the pkcs#12 format file
  • my-name  is the desired name that will sometimes be displayed in user interfaces.

6.    (Optional) You can delete the certificate signing request (.csr) file and the private key (.key) file.
7.    Now you can import your PKCS#12 file to your favorite email client, such as Microsoft Outlook or Thunderbird. You can now sign an email you send out using your own generated private key. For the public certificate (.crt) file, you can send this to others when requesting them to send an encrypted message to you.

Tags: self-signed Public Key, OpenSSL command