Option 1: Self-signed certificate

The following options are available for generating a self-signed ASP certificate:

Automatic generation of the ASP certificate via the OneSpan Community Portal

You can generate a key pair and a self-signed certificate from your sandbox on the OneSpan Community Portal.

The OneSpan Community Portal will generate a password-protected PKCS #12 file that contains the ASP’s key pair, as well as a PEM file that contains the certificate. The key pair and the certificate meet the requirements for ASP key pairs and certificates (see Requirements for ASP key pairs and certificates).

The OneSpan Community Portal generates the key pair and the certificate locally inside the ASP’s browser, and does not send them to OneSpan or any other party. Therefore, the ASP’s private key remains entirely under the control of the ASP.

Manual generation of the key pair and the certificate

You can manually generate a self-signed certificate for SSL/TLS client authentication.

To generate the key pair and the certificate (manually)

  1. Update the OpenSSL configuration file for client-side TLS authentication. To do so, add the following attribute to the [v3_ca] section of the OpenSSL configuration file:

    extendedKeyUsage = clientAuth

    This ensures that the certificate can be used for TLS web client authentication.

  2. Generate the key pair and the self-signed certificate with OpenSSL.

    1. Run the following command:

      openssl req ‑x509 ‑newkey rsa:2048 ‑keyout asp_root_key.pem ‑out asp_root_crt.pem ‑sha256 ‑days 1825 ‑config openssl.cnf


      • asp_root_key.pem is a PEM file that contains the ASP key pair.
      • asp_root_crt.pem is a PEM file that contains the ASP certificate.
    2. Provide a password to protect the private key, and confirm this password.

      Generating a 2048 bit RSA private key
      writing new private key to 'asp_root_key.pem'
      Enter PEM pass phrase:
      Verifying - Enter PEM pass phrase:

      Select a sufficiently strong password and ensure that the password is safeguarded appropriately.

    3. You will also be requested to provide some information to identify yourself. This information will be included in the ASP certificate:

      You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN.
      There are quite a few fields but you can leave some blank
      For some fields there will be a default value,
      If you enter '.', the field will be left blank.
      Country Name (2 letter code) [AU]:
      State or Province Name (full name) [Some-State]:
      Locality Name (eg, city) []:
      Organization Name (eg, company) [Internet Widgits Pty Ltd]:
      Organizational Unit Name (eg, section) []:
      Common Name (e.g. server FQDN or YOUR name) []:
      Email Address []:

      The ASP certificate will expire after five years.