This article will show you how to take an existing trust anchor key-pair and use it to generate domain certificates that can be used by the DIRECT Project. This assumes you have the openssl command-line utility (available on Linux/Mac).

Prerequisites: You must have the certificate and key associated with your trust anchor (trustanchor.pem, trustanchor.key) before performing these steps. If your trust anchor key has a passphrase, you will need to know that as well.

Lets say our domain is and we need to generate a certificate for this domain.

The first step is to generate a certificate signing request (CSR) for the domain.

$ openssl req \
    -newkey rsa:2048 \
    -nodes \
    -days 3650 \
    -out \
    -keyout \
    -subj '/C=US/ST=New York/L=New York City/O=Acme Corp/'

This will create two files. The first is the CSR, and the second is the private key for this domain.

Next, we need to sign the certificate using our Trust Anchor.

$ openssl x509 -req \
    -in \
    -CA trustanchor.pem \
    -CAkey trustanchor.key \
    -CAcreateserial \
    -out \
    -days 3650

This will use the trust anchor’s certificate and key to issue a domain certificate. The new certificate will be available in Note: If your CA has a passphrase, you will be prompted to enter it here.

The DIRECT project requires all certificates be in DER format. To convert from PEM to DER format, do the following:

$ openssl x509 -outform der -in -out

Finally, you need to create a PKCS12 key-pair. This will need to be uploaded to the DIRECT application so it can be served over DNS.

$ openssl pkcs12 -export \
    -in \
    -inkey \
    -out \
    -name 'direct_keypair'

Note: Many DIRECT applications require that the .p12 file have an empty passphrase. When you are prompted to enter a passphrase, be sure to just push Enter.

You have now successfully generated a domain certificate for!

Just to be sure, you should inspect your new certificate to make sure it looks correct. To view the certificate, do the following:

$ openssl x509 -in -text

You should see a response with something similar to:

    Version: 1 (0x0)
    Serial Number:
    Signature Algorithm: sha1WithRSAEncryption
    Issuer: CN=Acme Corp Trust Authority
        Not Before: Mar  1 21:05:07 2013 GMT
        Not After : Feb 27 21:05:07 2023 GMT
    Subject: C=US, ST=New York, L=New York City, O=Acme Corp/,
    Subject Public Key Info: