Skip to content

Getting Started

Jump to bottom
Bobby Bonestell edited this page May 13, 2026 · 2 revisions

Getting Started

This guide walks you through installing SelfCertForge and completing the core setup: creating a root CA, trusting it on your machine, and issuing your first signed certificate.

Install

Download the installer for your platform from the latest release:

  • macOSSelfCertForge-osx-Setup.pkg
  • WindowsSelfCertForge-win-x64-Setup.exe

Run the installer and launch SelfCertForge.

Step 1: Create a Root CA

Your root CA is the foundation — you create it once and use it to sign all your certificates.

  1. Go to the Authorities page in the sidebar
  2. Click Forge New Root Certificate
  3. Fill in the fields:
    • Name — a label for this CA within the app (e.g. Home Lab CA)
    • Common Name (CN) — the canonical name for the CA (e.g. homelab-root)
    • Validity — how long the root CA is valid; 3650 days (~10 years) is a good default
    • Key Size — 2048-bit is the default and broadly compatible; use 4096 for higher security
    • Subject fields (Organization, City, Country, etc.) are optional but useful for identification
  4. Click Forge — SelfCertForge generates the root certificate and private key

Note

The 398-day browser limit does not apply to root CAs. Roots are trusted explicitly by the OS, so a 10-year or longer validity is normal and expected.

Step 2: Trust the Root CA

Installing your root CA in the system trust store is what makes all its signed certificates automatically trusted.

  1. Go to the Trust Store page in the sidebar
  2. Find your new root CA and click Install
  3. Approve the system prompt — this requires administrator access

Note

You do this once per machine. Any device that needs to trust certificates issued by this root CA must have it installed in its trust store.

Step 3: Issue a Signed Certificate

Signed certificates are created from a root CA's detail panel on the Authorities page.

  1. Go to the Authorities page and select your root CA
  2. Click Create Signed Certificate at the bottom of the detail panel
  3. Fill in the fields:
    • Common Name (CN) — the primary name for the certificate (e.g. dev.local)
    • Subject Alternative Names (SANs) — add each hostname or IP using the DNS/IP type selector (e.g. dev.local, 192.168.1.10)
    • Validity — keep this at or below 397 days; the app defaults to 397
  4. Click Create signed certificate — SelfCertForge issues it, signed by your root CA

The new certificate is immediately trusted by Chrome, Safari, and system services on any machine where your root CA is installed.

Step 4: Export and Use the Certificate

  1. Go to the Certificates page and select your new certificate
  2. Open the Actions menu and choose your format:
    • PFX — for most web servers and .NET applications
    • PEM — for nginx, Apache, or anything that accepts separate cert and key files
    • DER — for Java, Android, or binary-format consumers
    • P7B — for Windows IIS or certificate chain bundles
  3. Place the exported files where your service expects them

What's next

When a certificate nears expiry (the dashboard and certificate list show expiry warnings), forge a replacement on the Certificates page. Because your root CA is already trusted, the replacement is automatically accepted — no changes to your trust store needed.

Clone this wiki locally