Create self-signed TLS certificates – PKCS8 key and x509 cert (works for Graylog 2 Gelf)

Published by Okezie on


This is an overview of a simple way to create a self signed TLS key pair.  Particularly how to create the TLS files and convert the key file to the PKCS8 format.

What is TLS (Transport Layer Security)?

According to the definition on wikipedia, Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), both frequently referred to as “SSL”, are cryptographic protocols that provide communications security over a computer network. The connection is private (or secure) because symmetric cryptography is used to encrypt the data transmitted.

It’s amazing how annoying it is to try to find a tutorial that shows how to create self signed certificate in the specific formats required for Graylog2.  In my case I needed an x509 cert with a PKCS8 formatted key to enable secure connection between graylog logging servers.

I like one liners and once I got a set of commands that worked, I made it as condensed as possible… could even be a one liner.

Here it is:

#Generate new key and create a self signed certificate:
openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout selfsigned.key.pem -out selfsigned-x509.crt -subj "/C=US/ST=WA/L=Seattle/"


  • selfsigned.key.pem  –  PEM Key
  • selfsigned-x509.crt –  x509 Certificate
#Convert PEM key to PKCS8 format:
openssl pkcs8 -topk8 -inform PEM -outform PEM -in selfsigned.key.pem -out selfsigned-pkcs8.pem


  • selfsigned-pkcs8.pem – PKCS formatted key

Thats it.  Just change the parameters in the subject.  both of these commands can be chained into a one liner, but it’s easy enough to just run them separately.

Stay secure out there.