Generating the ASP certificate: Self-signed certificate

You can generate a self-signed ASP certificate automatically via the OneSpan Community Portal or manually using a certificate management tool such as OpenSSL.

Generating the ASP certificate automatically via the OneSpan Community Portal

You can generate a key pair and self-signed certificate from your sandbox on the OneSpan Community Portal (start page:

The OneSpan Community Portal will generate a password-protected PKCS #12 file containing the ASP’s key pair, as well as a PEM file containing the certificate. The key pair and certificate meet the requirements for ASP key pairs and certificates (see Requirements for ASP key pairs and certificates).

The OneSpan Community Portal also generates the key pair and certificate locally inside the ASP’s browser, and does not send them to OneSpan or any other party. Therefore the ASP’s private key remains entirely under the sole control of the ASP.

Generating a key pair and certificate (manually)

The following procedure explains how to generate a self-signed certificate that can be used for SSL/TLS client authentication.

To generate a key pair and certificate (manually)

  1. Update the OpenSSL configuration file for client-side TLS authentication by adding the following attribute to the [v3_ca] section of the OpenSSL configuration file:

    extendedKeyUsage = clientAuth

    This will ensure that the certificate can be used for TLS web client authentication.

  2. Generate a key pair and self-signed certificate using OpenSSL:

    1. Execute the following command:

      openssl req ‑x509 ‑newkey rsa:2048 ‑keyout asp_root_key.pem ‑out asp_root_crt.pem ‑sha256 ‑days 1825 ‑config openssl.cnf


      • asp_root_key.pem is a PEM file containing the ASP key pair.
      • asp_root_crt.pem is a PEM file containing the ASP certificate.
    2. Provide a password to protect the private key, and confirm this password.

      Generating a 2048 bit RSA private key
      writing new private key to 'asp_root_key.pem'
      Enter PEM pass phrase:
      Verifying - Enter PEM pass phrase:

      Select a sufficiently strong password and ensure that the password is safeguarded appropriately.

    3. You will also be requested to provide some information to identify yourself. This information will be included in the ASP certificate:

      You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN.
      There are quite a few fields but you can leave some blank
      For some fields there will be a default value,
      If you enter '.', the field will be left blank.
      Country Name (2 letter code) [AU]:
      State or Province Name (full name) [Some-State]:
      Locality Name (eg, city) []:
      Organization Name (eg, company) [Internet Widgits Pty Ltd]:
      Organizational Unit Name (eg, section) []:
      Common Name (e.g. server FQDN or YOUR name) []:
      Email Address []:

      The ASP certificate will expire after five years.