All Collections
Troubleshooting and How-To
How-To Articles
How to generate your own / self-signed SSL certificates for use with an On-Premise deployments
How to generate your own / self-signed SSL certificates for use with an On-Premise deployments
Written by Arick Disilva
Updated over a week ago

We recommend consulting with your security team to determine if a self-signed certificate or a third-party trusted CA is right for your deployment. For an example on how to use a third-party certificate with Teramind, check out this link.


In this article we will show you how to generate your own authority certificates via OpenSSL for use with your Teramind On-Premise deployment.

If you are using a network with domains then use Windows Certificate Center instead. In domain network root certificate gets auto-deployed to all joined stations.

Step 1: Install and run OpenSSL

1. Download latest OpenSSL binaries from here:

2. Run the OpenSSL in admin mode.

OpenSSL is a third-party product developed by OpenSSL organization. Teramind isn’t associated with the OpenSSL organization or it’s affiliated and cannot be held responsible for its use. Please use the software at your own risk.

Step 2: Generate the root private key

Run the following command in the OpenSSL command line:

openssl genrsa -out rootCA.key 4096

Step 3: Create a self-signed certificate

Run the following command in the OpenSSL command line:

openssl req -x509 -new -nodes -key rootCA.key -sha512 -days 3650 -out rootCA.pem

You’ll be asked various questions (Country, State/Province, etc.). Answer them how you see fit. The important question to answer though is common-name:

Common Name (eg, YOUR name) []: MyRootCA

Step 4: Install the root certificate on the workstation(s)

You will need to install the root certificate in the trusted certificate repositories of your workstations.

Internet Explorer / Google Chrome

Both IE and Chrome use system certificate store. You can install certificates for these browser from the Windows Certificate Manager:


1. Open Windows Certificate Manager (run certmgr.msc from the command prompt).

2. From the left panel (Certificates - Current User), select Trusted Root Certification Authorities > Certificates.

3. Right-click on Certificates and select All Tasks > Import. Then follow the on-screen instructions to import your certificate.


Firefox has its own certificate repository. If you use Internet Explorer or Chrome as well as Firefox, you’ll have to install the root certificate in both the Windows repository and the Firefox repository.


1. Open Firefox and click the Menu icon.

2. Select Options

3. Select Privacy & Security from the left-panel.

4. Scroll down until you can see the Certificates section. Click the View Certificates button. A pop-up window will open:


5. Select the Authorities tab.

6. Click the import button to import your certificate.

Safari (macOS)

1. Double-click the certificate file on Finder.

2. You will be asked to store the certificate in the Login Keychain or System Keychain. To make the certificate available to all users on the system, select the System Keychain. Otherwise, choose the Login Keychain.

3. In Keychain Access, select the System keychain.

4. Select Cloud Services Root CA certificate.

5. Select File > Get Info and expand the Trust section.

6. Change Secure Sockets Layer (SSL) value to Always Trust.

Step 5: Create a private key

To create a private key (different from the root CA), run the following command:

openssl genrsa -out onsite.key 4096

Step 6: Generate the certificate signing request

Once the key is created, you’ll generate the certificate signing request. To do so, run the following command:

openssl req -new -nodes -key onsite.key -config csrconfig.txt -out onsite.csr

Here's a sample csrconfig.txt file you can use as a reference:

[ req ]
default_md = sha512
prompt = no
req_extensions = req_ext
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
commonName =
countryName = US
[ req_ext ]
subjectAltName = @alt_names
[ alt_names ]
DNS.0 =
IP.0 =

Once that’s done, you’ll sign the CSR, which requires the CA root key. Run the following command to do so:

openssl x509 -req -in onsite.csr -days 3650 -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -extensions req_ext -out onsite.crt -extfile csrconfig.txt

Step 7: Upload the certificates to your Teramind server

Login to your Teramind dashboard and do the following:

1. Click the Gear icon near the top-right corner of the dashboard.

2. Click Settings.

3. Select the Security tab.

4. Under the Host section, in the HOSTNAME field, enter the common-name you used in the previous step (e.g.,

5. Click the SAVE button.

6. Click Select file next to SELECT PRIVATE KEY and upload your onsite.key file.

7. Click Select file next to SELECT PUBLIC KEY and upload your onsite.crt file.

8. Click Select file next to SELECT ROOT CA KEY and upload your rootCA.pem file.

9. Click the VALIDATE KEYS button. After they keys are validated, you will see a "Validation is successful" message and a the VALIDATE KEYS button will be replaced by a SAVE KEYS button:

10. Click the SAVE KEYS button to save the keys.

Did this answer your question?