Creating a digital certificate with OpenSSL

You can use the OpenSSL program to create digital certificates for use with tests.

Before you begin

OpenSSL is available from the OpenSSL Project at


  1. Create a certificate authority (CA). For the purposes of testing, this CA takes the place of a recognized CA on the Internet, such as VeriSign. You use this CA to digitally sign each certificate that you plan to use for testing.
    1. Create a certificate request (CSR) file. The "subject" (-subj) describes the user of the certificate. Enter dummy values as shown. The following command line sets the password for the certificate to abcdefg.

      openssl req -passout pass:abcdefg -subj "/C=US/ST=IL/L=Chicago/O=HCL Technologies/OU=HCL Software Group/CN=HCL OneTest™ Performance CA/" -new >

    2. Create a key file,, to store the private key. This removes the password protection from the certificate request file so that you do not have to type the password every time you sign a certificate. Because the password protection has been removed, use the certificate request file for testing purposes only.

      openssl rsa -passin pass:abcdefg -in privkey.pem -out

    3. Create an X.509 digital certificate from the certificate request. The following command line creates a certificate signed with the CA private key. The certificate is valid for 365 days.

      openssl x509 -in -out -req -signkey -days 365

    4. Create a PKCS#12-encoded file containing the certificate and private key. The following command line sets the password on the P12 file to default. HCL OneTest Performance uses password of default for all PKCS#12 files by default.

      openssl pkcs12 -passout pass:default -export -nokeys -cacerts -in -out -inkey

    You now have a CA certificate (, which can be installed into the web server under test and a private key file ( that you can use to sign user certificates.
  2. Create a digital certificate for a user.
    1. Create a CSR file for the user. Set the initial password to abc. Optionally, provide an appropriate subject.

      openssl req -passout pass:abc -subj "/C=US/ST=IL/L=Chicago/O=HCL Technologies/OU=HCL Software Group/CN=John Smith/" -new > johnsmith.cert.csr

    2. Create a private key file without a password.

      openssl rsa -passin pass:abc -in privkey.pem -out johnsmith.key

    3. Create a new X.509 certificate for the new user, digitally sign it using the user's private key, and certify it using the CA private key. The following command line creates a certificate which is valid for 365 days.

      openssl x509 -req -in johnsmith.cert.csr -out johnsmith.cert -signkey johnsmith.key -CA -CAkey -CAcreateserial -days 365

    4. Optional: Create a DER-encoded version of the public key. This file contains only the public key, not the private key. Because it does not contain the private key, it can be shared, and does not need to be password protected.

      openssl x509 -in johnsmith.cert -out johnsmith.cert.der -outform DER

    5. Create a PKCS#12-encoded file. The following command line sets the password on the P12 file to default.

      openssl pkcs12 -passout pass:default -export -in johnsmith.cert -out johnsmith.cert.p12 -inkey johnsmith.key

    Repeat this step to create as many digital certificates as needed for testing. Keep the key files secure, and delete them when they are no longer needed. Do not delete the CA private key file. You need the CA private key file to sign certificates.


Now you can install the CA certificate ( into WebSphere®. Optionally, create a user certificate specifically for your web server, and install it into WebSphere.

You can use user certificates individually to record tests. To use the user certificates (johnsmith.cert.p12) during test editing and playback, compress them in ZIP format to a file with the .rcs extension. This creates a digital certificate store. To learn more digital certificate stores, see Creating a digital certificate store. You can also import user certificates into your web browser to interactively test them in your environment.