Skip to content

NuGet Package Signing

To generate a certificate for NuGet package signing using OpenSSL, you need to create a code-signing certificate. This certificate will be used to sign your NuGet packages, ensuring their authenticity and integrity.

Below is a step-by-step guide to generate a self-signed certificate using OpenSSL. If you need a certificate from a trusted Certificate Authority (CA), you can use the same process to generate a Certificate Signing Request (CSR) and submit it to a CA.

Step 1: Install OpenSSL

Ensure OpenSSL is installed on your system. You can download it from OpenSSL's official website or install it via a package manager:

Download the binaries from the website or use a package manager like Chocolatey: 

choco install openssl


sudo apt-get install openssl

brew install openssl

Step 2: Generate a Private Key

Use OpenSSL to generate a private key. This key will be used to sign your certificate.

```bash
openssl genpkey -algorithm RSA -out private.key -aes256
```

Step 3: Generate a Certificate Signing Request (CSR)

We need to create a configuration file that contains all the required information for the CSR (Certificate Signing Request). Then, you can reference this file when running the openssl req command.

Create a file named openssl.cnf with the following content:

[req]
default_bits       = 2048
default_md         = sha256
prompt             = no
distinguished_name = req_distinguished_name

[req_distinguished_name]
C  = DE
ST = Bavaria
L  = Nuremberg
O  = GridLab
OU = Grid Simulation
CN = Deniz Raif Durmaz
emailAddress = denizraifdurmaz@gmail.com

Run the openssl req command and reference the configuration file using the -config option:

```bash
openssl req -new -key private.key -out certificate.csr -config openssl.cnf
```
  • Explanation:
    • -key private.key: Specifies the private key file.
    • -out certificate.csr: Specifies the output CSR file.
    • -config openssl.cnf: Specifies the configuration file to use.

Step 4: Verify the CSR

You can verify the contents of the generated CSR using the following command:

```bash
openssl req -in certificate.csr -noout -text
```

Step 5: Generate a Self-Signed Certificate

If you don't want to use a trusted CA, you can generate a self-signed certificate directly.

DER format is commonly used in environments where binary certificates are required (e.g., some Windows systems or specific applications).

```bash
openssl x509 -req -days 365 -in certificate.csr -signkey private.key -out certificate.cer -outform DER
```