In the last tutorial we went over the basics of SSL certificates https://www.theswdeveloper.com/post/understaning-ssl-certificates
In this tutorial we'll see how we can generate a new certificate - self-signed and CA-signed.
We'll use OpenSSL which is currently the most powerful SSL library out there.
Creation process
How to generate a self-signed certificate
Generate private key.
Generate Certificate Signing Request (CSR).
Sign the CSR using our private key.
How to generate a CA signed certificate
Generate a self-signed certificate and a private key - this will be the CA that will sign our end-user certificate.
Generate private key.
Generate Certificate Signing Request (CSR).
Sign the CSR using the CA's private key.
Note: a CA can be either a local CA that is managed by us or our organization or a global CA, which is managed by an outside company, and is trusted by all browsers and OSs.
In order for global CA to sign our CSR we will need to prove ownership of our domain.
There are a few ways to do so, the most popular ones are: Email, TXT code, HTTP and CNAME.
Generate a self-signed certificate
1. Generate a private key -
openssl genrsa -out private-key.pem 2048
2. Generate CSR
openssl req -new -key private-key.pem -out csr.pem
We will need to provide the following parameters:
a. Country Name: in two digits - e.g us.
b. State or Province Name
c. Locality Name: city
d. Organization Name
e. Organizational Unit Name
f. Common Name: a fully qualified domain name (FQDN), or in other words - the domain, e.g theswdeveloper.com
g. Email Address
3. Sign that CSR
openssl x509 -req -days 365 -in csr.pem -signkey private-key.pem -sha256 -out cert.pem
At this point we should have a cert.pem and a private-key.pem. We need to keep both, while the certificate is a public entity, which we can share with anyone, the private key should remain private and should be kept in a secured place.
BTW, we can generate a self-signed certificate using a single command:
openssl req -x509 -sha256 -days 356 -nodes -newkey rsa:2048 -out cert.pem -keyout private-key.pem
Generate a CA-signed certificate
This process shows how to generate a CA signed certificate with Subject Alternative Names.
1. Generate a self-signed certificate - this will be the CA certificate
openssl req -x509 -sha256 -days 720 -nodes -newkey rsa:2048 -out caCert.pem -keyout caKey.pem
2. Generate a private key for the end user certificate
openssl genrsa -out user-private-key.pem 2048
3. Generate CSR for the end user certificate
openssl req -new -key user-private-key.pem -out user-csr.pem
4. Sign the CSR with the CA certificate and CA private key
First we need to create a cnf configuration file with the domains we want our certificate to cover.
Paste the following content in a file name req.cnf
*make sure to put the correct DNS.1 and DNS.2 values.
[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
C = us
ST = califiornia
L = some city
O = some org
OU = example org unit
CN = example.website.com
[v3_req]
subjectAltName = @alt_names
[alt_names]
DNS.1 = *.website.com
DNS.2 = example.website.com
Then run the following command
openssl x509 -req -in user-csr.pem -days 365 -CA caCert.pem -CAkey caKey.pem -out user-cert.pem -set_serial 11111 -extensions v3_req -extfile req.cnf
Issue certificate through a global CA
When we need a certificate for the public web (e.g for our website), we must issue it using one of the globally trusted CAs (e.g Let's Encrypt, Digi Cert..).
Usually we will not need to run any OpenSSL commands, sometimes we will be requested to create only the private key and the CSR.
Once we have the CSR we will need to send it to the CA, with the server and the domain information.
Once the CA gets the request, we will need to prove our ownership on the domain.
In the next tutorial we will see how we can parse the content of the certificate and the CSR.
Comments