These instructions are geared towards Windows users, but are easily adaptable for OSX or Linux users.

In the following instructions, replace 10.20.30.40 with the IP address of your PAC controller.
  1. Create a directory in which you’ll generate your certificates.
  2. Customize the OpenSSL configuration file.
    1. Copy the default OpenSSL configuration file to your working directory.
      • On Windows, the default location is c:\OpenSSL-Win32\bin\openssl.cfg
      • On Linux, it’s often at /etc/ssl/openssl.cnf
    2. Rename the file to include the IP address of the controller, such as openssl.10.20.30.40.cfg.
    3. Open your copy of the configuration file in WordPad or any text editor other than Notepad. Even on Windows, the line endings in the configuration file are Unix-style and not usable in Notepad.
    4. Search for [ v3_ca ], which is the section that needs an extra setting.
    5. Just below the [ v3_ca ] section, add the following line, except use the controller’s IP address instead of 10.20.30.40:
      subjectAltName=IP:10.20.30.40
      
    6. Save the file
  3. Generate a self-signed certificate.

    Open a command prompt in the directory you created in step 1, and then enter the following command, being careful to replace the dummy IP addresses with the IP address of your controller.

    "c:\OpenSSL-Win32\bin\openssl.exe" req -nodes -newkey rsa:2048 -keyout privkey.10.20.30.40.key -out cert.10.20.30.40.crt -x509 -days 3650 -config openssl.10.20.30.40.cfg
    
    Generating a 2048 bit RSA private key
    ...............+++
    ............+++
    writing new private key to 'privkey.192.168.1.121.key'
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [AU]:US
    State or Province Name (full name) [Some-State]:CA
    Locality Name (eg, city) []:Temecula
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:ACME Corp
    Organizational Unit Name (eg, section) []:Engineering
    Common Name (e.g. server FQDN or YOUR name) []:10.20.30.40
    Email Address []:youremail@whatever.com
    
  4. Convert the private key to the proper format.

    PAC controllers require the private key in a different format than the default format. It is easily converted with the following instruction:

    "c:\OpenSSL-Win32\bin\openssl.exe" rsa -in privkey.10.20.30.40.key -out privkey.10.20.30.40.key
    

Next Step

Continue to Installing the Certificate.