In today's digital age, security and trust are of paramount importance for both individuals and businesses alike. One crucial aspect of maintaining security and establishing trust online is through the implementation of SSL certificates.
 |
| Generate Self-Signed SSL Certificate |
create a self signed certificate; create ssl certificate; create a certificate signing request; create CSR; SSL Certificate; TLS Certificate; SSL; TLS
So here i will provide a comprehensive guide with all the essential information for creating a SSL Certificate.
In this post i will cover below points
- CA Certificates
- Create Private Key
- Create CA Certificate
- CSR - ( CSR full form is Certificate Signing Request )
- Creating a CSR - Using Input during the execution
- Creating a CSR - Using Template
- Signing Certificate Templates
- Creating Signing Certificate Templates
- Certificate
- Creating Private Key
- Creating Digital Certificates
- Validation
Tools
OpenSSL
Text Editor ( VI or Nano )
1 - CA - Certificate Authority
CA stand for Certificate Authority, that is used to verify the Ownership of public key with subject of the certificate & it is a trusted organization that issue the digital certificate.
Step 1 -
To generate the private key for CA
openssl genrsa -out rootCA.key -des3 4096
Enter PEM pass phrase: *******
Verifying - Enter PEM pass phrase: *******
It require a password so will provide the password and verifying it
Step 2 -
Step 2 -
To Generate CA certificate
openssl req -x509 -new -nodes -key <key name> -sha256 -days <no of day> -out <CA cert name>
Command explanation
openssl - its Command
req -x509 - certificate slandered
-new -nodes -key <key name> - create a new private key
-sha256 - encryption algorathim
-days <no of days> - its validity or age of CA certificate, in this example i will generate for 5 years ( 365x5=1825)
-out <certificate name> - provide the CA certificate name
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1825 -out rootCA.crt
Enter pass phrase for rootCA.key: <provide the rootCA.key password>
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:Madhya Pradesh
Locality Name (eg, city) []:Indore
Organization Name (eg, company) [Internet Widgits Pty Ltd]:linuxtopic
Organizational Unit Name (eg, section) []:Server Security
Common Name (e.g. server FQDN or YOUR name) []:LinuxTopic RootCA WebSecurity
Email Address []:email@linuxtopic.com
Note: above details is just for example, it should be change according to your org/web/application.
Step 3 -
Watch full Video Tutorial:
CSR - Certificate Signing Request
A CSR is a encoded file that containing the information about domain, country, organization details as subject, contrary, state, email, public key and so fourth.
A - To Creating a CSR - Using Template - Click Here
B - To Generate CSR - Using Input
openssl req -new -newkey rsa:2048 -keyout <private key name> -sha256 -nodes -out <csr file name>
This command will generate new private key along with server/client SSL / TLS certificate
openssl req -new -newkey rsa:2048 -keyout linuxtopic.key -sha256 -nodes -out linuxtopic.csr
.....+.....+....+.....+......+.+.....+.........+....+.....+.......+..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*...+.+...............+..+.......+...........+.+..................+..+.+.........+.........+.....+.......+..+...+.........+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+......+.+...+.....+......+......+....+...+...+..............+...+...............+......+.......+........+....+...+..+......+...............+.+...+..................+...+.....+....+......+...........+.........+.........+...+....+......+.........+.....+...+.+.................+...+....+..+.+.....+...+.........+.+.........+..................+.........+...+.....+......+...............+.+........+...+....+......+....................+.......+...........+.+......+........+.+.....+...+.............+........+....+..+.+........+......+.+.....+.......+..+...+.........................+...+..+.+............+...+......+........+...+............+.............+.....+...+......+.+.........+...+........+............+...+.......+..+.+..............+....+.....+......+.+.........+..............+......+...+.......+.........+.........+.....+.+..+....+.........+.....+.......+.........+..............+....+..+.+...+..+.........+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
.....+.......+..+.+.....+..........+.....+.+.....+.+...+...........+...+...+.........+.+........+..........+..+.......+..+...+.+.....+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..+..........+..+..........+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*...+.............+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:Madhya Pradesh
Locality Name (eg, city) []:Indore
Organization Name (eg, company) [Internet Widgits Pty Ltd]:LinuxTopic
Organizational Unit Name (eg, section) []:SRE
Common Name (e.g. server FQDN or YOUR name) []:linuxtopic.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Note: above details is just for example, it should be change according to your org/web/application.
Step 4 -
Signing Certificate Templates
We will create a file for signing a certificate and use this file during the certificate creation
vi ca_sign_template.conf
#
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE#alternate tags, if we need to add multiple domain in certificate then we have add this and update the update DNS.1 , DNS.2, DNS.100
# SAN Support up to 100 domain
subjectAltName = @alt_names
[alt_names]
DNS.1 = the-company.comNote: Here, Im not adding SAN because we are generating a single domain certificates
Step 5 -
To Generate Certificate and Private key
openssl x509 -req -CAkey <existing rootCA.key> -CA <existing rootCA.crt> -in <CSR File linuxtopic.csr> -out <certificate name linuxtopic.crt> -days <validaty of certificate> -CAcreateserial -extfile <singing file ca_sign_template.conf>
Here,
-CAkey rootCA.key = rootCA private key
-CA rootCA.crt = rootCA certificate file
-in linuxtopic.csr = our CSR file
-out linuxtopic.crt = certificate file name
-days 374 = validity of certificate, we are generating for 13monts
-CAcreateserial = it will append the serial number in certificate file
-extfile ca_sign_template.conf = ca sining template
openssl x509 -req -CAkey rootCA.key -CA rootCA.crt -in linuxtopic.csr -out linuxtopic.crt -days 374 -CAcreateserial -extfile ca_sign_template.conf
Certificate request self-signature ok
subject=C = IN, ST = Madhya Pradesh, L = Indore, O = LinuxTopic P\08, OU = SRE, CN = linuxtopic.com
Enter pass phrase for rootCA.key: ****** #Provide the rootCA private key password
Step 6 -
Validation
We can validate the contant using openssl command, here is the command and output
root@linuxtopic:~# openssl x509 -in linuxtopic.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
58:17:76:44:55:16:7f:cd:e2:8a:57:be:66:dd:b3:da:60:02:db:51
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = IN, ST = Madhya Pradesh, L = Indore, O = linuxtopic, OU = Server Security, CN = LinuxTopic RootCA WebSecurity, emailAddress = email@linuxtopic.com
Validity
Not Before: Sep 15 11:54:23 2023 GMT
Not After : Sep 23 11:54:23 2024 GMT
Subject: C = IN, ST = Madhya Pradesh, L = Indore, O = LinuxTopic P\08, OU = SRE, CN = linuxtopic.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:a5:f3:c7:36:0b:50:d7:39:4c:97:c6:9f:40:5c:
6b:5d:ee:74:2f:77:35:d6:82:82:28:0e:2b:72:be:
ec:ef:9d:4e:f2:63:8b:2c:8c:69:a6:15:af:f4:96:
35:87:23:17:81:83:d3:a3:7d:e0:74:9d:0b:f7:a6:
b4:11:8e:18:be:be:18:80:4b:03:0b:ce:2a:ee:ec:
62:f3:34:a9:13:00:c9:82:82:1d:4a:99:90:44:c1:
22:cb:e5:30:ff:d3:9c:7b:4c:46:30:f9:97:d6:2b:
01:89:85:f6:53:9f:7c:e0:98:40:85:e6:3e:15:ba:
29:d4:64:12:d9:d9:d6:86:6b:a0:86:73:1d:30:1e:
dc:4e:bd:24:7c:ee:48:79:27:9a:e2:84:b3:82:a8:
a5:93:f7:cc:e4:a8:b3:3b:4e:49:8c:8a:48:d8:aa:
a0:84:f1:4a:51:eb:f0:56:1e:15:64:a6:ac:09:5e:
b9:d1:f5:50:54:42:6c:ab:ac:81:53:a0:fa:5d:17:
33:b0:49:ce:14:3b:f4:1e:41:6d:df:5f:eb:89:ac:
f0:ee:51:c6:87:77:41:40:5c:da:4b:03:a3:c5:42:
44:8a:05:13:bc:96:b9:bb:2b:9c:04:28:d6:01:93:
e0:4b:d0:4c:42:ad:4d:f5:e8:1a:14:a5:44:9f:67:
fb:81
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
20:88:A3:8D:45:66:F7:C7:A6:3F:D3:27:D7:B7:A0:75:D3:FA:B9:0C
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
F6:A3:CA:D6:9D:AB:A2:29:7B:1D:70:D9:04:D8:49:3C:11:19:74:CC
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
ad:95:dc:9c:8b:cb:21:05:95:43:76:2e:3d:21:08:35:bb:e2:
6c:30:56:08:0c:f4:57:68:cc:15:65:72:16:1d:f7:a0:fc:96:
83:e3:b4:08:63:96:ce:70:1a:e5:7b:12:d5:51:30:0d:07:50:
50:c1:f7:63:ee:05:d1:ab:ec:4e:43:78:25:9d:09:93:87:76:
54:3a:f7:75:02:e9:51:ff:e3:ae:7a:a1:09:6c:7e:f2:82:6d:
8a:67:42:0c:d5:9a:70:f8:78:be:d3:0f:61:60:ea:38:71:57:
a1:23:a1:95:fa:f9:65:ea:ba:d1:95:73:8f:31:9a:fb:94:41:
a8:bc:e0:0e:10:4e:4c:00:6a:97:bd:25:a9:da:e7:60:43:7d:
4f:db:c4:a3:c4:4d:03:6f:27:39:8f:54:0f:69:23:b5:ff:3c:
d5:37:66:87:c2:55:b3:f3:e7:b2:1e:8a:dd:8a:96:48:56:dd:
33:3d:d8:51:25:ec:c4:b3:49:44:36:a5:5a:a9:a7:60:91:d9:
82:43:98:e5:c1:33:29:3c:87:30:7b:44:52:82:86:e5:55:e5:
9f:e2:2d:3f:c3:a2:0d:ea:92:09:bc:04:bf:55:02:da:db:95:
a0:ac:47:d8:8a:f7:10:f3:d4:d3:d3:97:42:b0:3d:28:90:a4:
17:38:c4:ec:7d:c6:19:6b:6b:fe:1f:33:81:97:55:4f:14:15:
d5:d1:e3:a8:2d:16:1c:b8:50:68:0e:15:72:28:3e:c0:34:48:
4f:82:41:5e:a1:05:9d:22:31:c6:51:93:8d:2e:0b:6f:ba:ef:
0e:8b:3e:dc:de:48:0d:21:cb:ca:a9:0b:1d:ed:d2:59:6f:72:
c2:76:dc:f1:10:ee:e8:62:d6:09:4f:86:63:b8:b6:16:45:91:
0a:e1:0b:87:5c:57:3e:7a:f0:f2:51:90:98:d3:c5:79:5c:a1:
ee:59:41:0e:7b:ce:81:6c:4c:55:6f:97:fc:32:60:79:e4:86:
93:47:d9:20:75:df:30:4b:68:ac:88:5f:89:c7:21:18:a9:28:
b5:16:e2:99:6f:26:04:77:80:0e:14:b9:7f:f5:3f:46:95:cd:
1a:41:3e:0c:d4:bd:e5:d0:5f:0f:72:6c:43:45:54:be:3f:49:
b4:2c:a5:d8:67:9d:78:7a:5f:f0:c3:c1:f8:c1:61:a4:40:5a:
ca:63:29:42:54:b9:68:59:78:3a:de:af:2f:19:4f:53:fa:1d:
07:ea:38:af:df:a2:51:66:f9:9a:87:9c:d4:53:24:99:33:1f:
05:93:6f:ed:64:60:a2:79:9c:cc:56:e2:2c:46:7b:ee:1f:66:
37:04:4a:99:a2:32:9c:6e
I hope this topic gave you all the information you needed. If you have any further questions or would like more detailed directions feel free to contact us using any of the following sources.We look forward to talking to you.
