how-to: create self-signed certificate on windows using openssl inside docker

I regularly need some self-signed certificates for development or testing purposes. On a MacOS or Linux machines creating one is dead-simple thanks to OpenSSL:

openssl req -newkey rsa:2048 -keyout privkey.pem -x509 -days 365 -out fullchain.pem

Problem is when you are working on Windows where the above command won't work. As a work-around you can install Cygwin or OpenSSL for Windows, but if you already have Docker installed there is a much neater way: Use a lightweight linux container with OpenSSL to create your certificate. That way you don't have to install anything and can use same the commands on all platforms.

1. create the OpenSSL image

First we need an image for a container that has OpenSSL installed. To achieve that we can create the following Dockerfile:

# we use the tiny alpine linux as base
FROM alpine:3.8 

# install openssl
RUN apk update && \
  apk add --no-cache openssl && \
  rm -rf "/var/cache/apk/*"

# create and set mount volume
WORKDIR /openssl-certs
VOLUME  /openssl-certs

ENTRYPOINT ["openssl"]

Open a terminal, navigate to the folder containing the above Dockerfile and build the image:

docker build -t my-openssl:latest .

Nice! Next up we will use the image to create a container that will generate certificates with OpenSSL for us.

2. using the image

Ok, now we can start our "certificate generator" container (make sure to replace "C:/some/path" with the path where you want your certificate):

docker run -it --rm -v "C:/some/path:/openssl-certs" my-openssl

Thanks to --rm the container will be automatically removed after we generated our certificate.

We should see OpenSSL running, greeting us with OpenSSL> and patiently awaiting our instructions. Now we can basicly type the same OpenSSL command as above (we only omit openssl at the beginning, because OpenSSL is already started):

req -newkey rsa:2048 -keyout privkey.pem -x509 -days 365 -out fullchain.pem

Follow the on-screen instructions to generate your certificate. After you reach OpenSSL> again, type exit and tada: your certificate should now be located under "C:\some\path" ready to be used!

Admittedly, this seems like a lot of work at first. But you will only have to build your image once. After that you can use it to create as many certificates as you want almost exactly like you would on MacOS or Linux. If you have Docker installed and are familiar with it, I think this is a fast and neat way to create self-signed certificates on a Windows machine.

Show Comments