A private-public key-pair is easy to generate. Likewise, an “uncertified” certificate may be generated with little effort, but obtaining a trustworthy certificate from a CA necessarily requires some work, time, and (usually) cost. It involves interacting with the CA to prove identity, and waiting for the CA to digitally sign the certificate.
Earlier versions of Microsoft Visual Studio have a command-line utility called makecert which may be used to generate private keys and certificates of the PVK and CER formats, respectively.
Alternatively OpenSSL may be used (makecert is now deprecated).
To generate a self-signed certificate with a 2048 bit RSA key using OpenSSL, the command below can be used:
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt
If a certificate issued by a CA is required, a private key and certificate signing request must be generated:
openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key
The request (CSR.csr) must be sent to the CA, who will issue a certificate. The private key must be kept as it will match the public key of the certificate.
OpenSSL binaries for Windows may be obtained from here, or by installing Cygwin.
Next: Server and Client Validation