In today's digital age, security and trust are of paramount importance for both individuals and businesses alike. One crucial aspect of maintaining security and establishing trust online is through the implementation of SSL certificates.
 |
| Generate CSR file using CSR config template |
create a self signed certificate; create ssl certificate; create a certificate signing request; create CSR; SSL Certificate; TLS Certificate; SSL; TLS
I will provide a comprehensive guide with all the essential information for creating a SSL Certificate.
In this post i will cover below points
- CA Certificates
- Create Private Key
- Create CA Certificate
- CSR - ( CSR full form is Certificate Signing Request )
- Creating a CSR - Using Input during the execution
- Creating a CSR - Using Template
- Signing Certificate Templates
- Creating Signing Certificate Templates
- Certificate
- Creating Private Key
- Creating Digital Certificates
- Validation
Tools
OpenSSL
Text Editor ( VI or Nano )
1 - CA - Certificate Authority
CA stand for Certificate Authority, that is used to verify the Ownership of public key with subject of the certificate & it is a trusted organization that issue the digital certificate.
Step 1 -
To generate the private key for CA
openssl genrsa -out rootCA.key -des3 4096
Enter PEM pass phrase: *******
Verifying - Enter PEM pass phrase: *******
It require a password so will provide the password and verifying it
Step 2 -
Step 2 -
To Generate CA certificate
openssl req -x509 -new -nodes -key <key name> -sha256 -days <no of day> -out <CA cert name>
Command explanation
openssl - its Command
req -x509 - certificate slandered
-new -nodes -key <key name> - create a new private key
-sha256 - encryption algorathim
-days <no of days> - its validity or age of CA certificate, in this example i will generate for 5 years ( 365x5=1825)
-out <certificate name> - provide the CA certificate name
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1825 -out rootCA.crt
Enter pass phrase for rootCA.key: <provide the rootCA.key password>
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:Madhya Pradesh
Locality Name (eg, city) []:Indore
Organization Name (eg, company) [Internet Widgits Pty Ltd]:linuxtopic
Organizational Unit Name (eg, section) []:Server Security
Common Name (e.g. server FQDN or YOUR name) []:LinuxTopic RootCA WebSecurity
Email Address []:email@linuxtopic.com
Note: above details is just for example, it should be change according to your org/web/application.
Step 3 -
CSR - Certificate Signing Request -
A CSR is a encoded file that containing the information about domain, country, organization details as subject, contrary, state, email, public key and so fourth.
B - Using CSR Template / CSR Config File
Here, We will create one config file and provide the certificate information based on below options
Options of CSR config files
# define RSA key size 2048
default_bits = 2048
# MD to use - MD stand for message digest ( default encryption algorithm is sha256 )
default_md = sha256
# Allow UTF-8 & Emit UTF-8 strings
utf8 = yes
string_mask = utf8only
# Desired extensions
req_extensions = codesign_reqext
# Use DN template, Use
prompt = yes # Prompt for DN yes or no
distinguished_name = dn_details # in this section we will define all the certificate owner details
# Extensions with creating certificate with SAN(subjectAltName) setting.
req_extensions = reqext
Final Content of CSR conf file
[ request_csr]
encrypt_key = yes
default_bits = 2048
prompt = no
distinguished_name = dn_details
req_extensions = extension_req
[ dn_details ]
C="IN"
# define RSA key size 2048
default_bits = 2048
# MD to use - MD stand for message digest ( default encryption algorithm is sha256 )
default_md = sha256
# Allow UTF-8 & Emit UTF-8 strings
utf8 = yes
string_mask = utf8only
# Desired extensions
req_extensions = codesign_reqext
# Use DN template, Use
prompt = yes # Prompt for DN yes or no
distinguished_name = dn_details # in this section we will define all the certificate owner details
# Extensions with creating certificate with SAN(subjectAltName) setting.
req_extensions = reqext
Final Content of CSR conf file
[ request_csr]
encrypt_key = yes
default_bits = 2048
prompt = no
distinguished_name = dn_details
req_extensions = extension_req
[ dn_details ]
C="IN"
ST="Madhya Pradesh"
L="Indore"
O="LinuxTopic"
OU="SRE TEAM"
emailAddress="email@linuxtopic.com"
CN="linuxtopic.com"
[ reqext ]
DNS.0 = linuxtopic.com DNS.1 = test.linuxtopic.com
Step 4 -
Generate a CSR using the template - Create CSR file using above content
vi csr.conf
To Generate CSR using conf file
openssl req -new -newkey rsa:2048 -keyout linuxtopic.key -sha256 -nodes -out linuxtopic.csr -config csr.conf -subj "/CN=LinuxTopic RootCA WebSecurity"
5 - Create a signing certificate template: ca_sign_template.conf
We will create a file for signing a certificate using below content and use this file during the certificate creation
authorityKeyIdentifier=keyid,issuer
How to Verify the CSR file
openssl req -text -noout -verify -in linuxtopic.csr
Certificate request self-signature verify OK
Certificate Request:
Data:
Version: 1 (0x0)
Subject: CN = LinuxTopic RootCA WebSecurity
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:93:84:39:c8:f9:f5:53:86:af:97:89:d0:cc:95:
3e:32:c6:74:48:43:af:91:21:18:a2:75:16:25:85:
e3:d5:13:3e:5e:27:10:08:32:2a:86:ab:c9:78:63:
02:85:23:e9:81:3f:bb:83:62:e2:f4:bf:c5:77:91:
c9:f3:b1:dc:50:ca:d1:e9:d7:25:63:77:f5:4a:d4:
03:5d:3a:d9:97:ca:d4:c0:a4:0d:dd:63:60:99:f8:
d8:f1:73:f7:e0:a8:bf:31:a5:5a:89:33:15:d6:a8:
6d:92:2a:dd:9c:27:a7:92:27:94:1d:02:d7:b6:72:
21:7c:4e:1d:9e:03:02:a1:6c:b4:18:a5:1f:40:a4:
2b:4b:9f:40:e0:26:81:b8:b7:9d:9d:e9:ef:3c:2c:
a7:32:26:9f:a0:d1:05:0a:63:cd:22:b5:0b:20:be:
d8:42:42:a0:a7:5c:18:68:ff:8c:c8:95:1b:ca:75:
b2:81:c0:9e:23:f1:81:51:a6:6f:d5:bd:90:96:b9:
6c:1b:ad:0e:5d:77:69:b4:be:2b:25:fe:c7:cb:23:
c1:8b:fd:be:b2:0a:0b:fd:2e:53:06:cf:24:9e:7d:
d4:45:b1:1e:0d:fe:bb:41:8f:33:e8:07:0a:74:7e:
b4:c6:84:40:07:71:44:32:27:db:3f:4d:b1:f3:00:
39:c9
Exponent: 65537 (0x10001)
Attributes:
(none)
Requested Extensions:
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
78:fb:eb:34:52:13:b9:a0:47:a9:50:bd:d3:dc:d1:a7:3a:02:
11:b8:36:38:81:60:ad:f9:08:b9:59:08:ae:f2:52:27:3f:39:
17:51:a8:28:de:ff:0b:a6:16:b3:b8:34:02:37:8b:c3:9f:1e:
fa:86:87:d1:71:b6:fe:b7:42:e1:c9:d1:08:13:1e:28:51:23:
a2:bd:62:7e:dc:75:6d:a3:31:c0:ab:8c:1e:19:b8:b8:c6:ca:
5c:4f:03:32:50:ec:e5:ff:39:56:df:aa:cf:a9:86:63:30:24:
c8:cb:c9:1d:da:ea:3e:ec:73:6e:1a:27:27:93:67:96:9f:1d:
55:ee:28:3d:e3:5c:e2:35:e2:03:05:aa:e3:75:2c:10:1c:71:
ca:38:53:3d:63:cc:69:00:68:73:43:94:38:cd:28:ac:cf:3b:
13:71:ba:2b:33:ed:4a:2f:bb:11:85:6a:5e:ae:d0:48:4a:6c:
67:97:8d:bc:12:74:ff:39:d1:c9:74:27:9a:b4:60:be:99:9b:
12:3b:5b:e1:28:1f:3f:ef:91:7f:a9:3b:bf:e2:25:5d:71:6f:
aa:a0:3c:e0:be:9c:04:14:ad:7e:69:a4:1e:03:2d:02:b0:0a:
cb:3e:1c:15:11:70:b5:13:e4:9e:19:eb:2e:df:48:63:ab:25:
08:66:28:60
Step 5 -
We will create a file for signing a certificate using below content and use this file during the certificate creation
vi ca_sign_template.conf
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
Step 6 -
To generate the certificate and private key
openssl x509 -req -CAkey <existing rootCA.key> -CA <existing rootCA.crt> -in <CSR File linuxtopic.csr> -out <certificate name linuxtopic.crt> -days <validaty of certificate> -CAcreateserial -extfile <singing file ca_sign_template.conf>Here,
-CAkey rootCA.key = rootCA private key
-CA rootCA.crt = rootCA certificate file
-in linuxtopic.csr = our CSR file
-out linuxtopic.crt = certificate file name
-days 374 = validity of certificate, we are generating for 13monts
-CAcreateserial = it will append the serial number in certificate file
-extfile ca_sign_template.conf = ca sining template
openssl x509 -req -CAkey rootCA.key -CA rootCA.crt -in linuxtopic.csr -out linuxtopic.crt -days 374 -CAcreateserial -extfile ca_sign_template.conf
Certificate request self-signature ok
subject=C = IN, ST = Madhya Pradesh, L = Indore, O = LinuxTopic P\08, OU = SRE, CN = linuxtopic.com
Enter pass phrase for rootCA.key: ****** #Provide the rootCA private key password
We can validate the contant using openssl command, here is the command and output
Step 7
Validation
openssl x509 -in linuxtopic.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
41:96:89:3a:d7:f9:77:23:ed:4e:ea:af:94:51:ff:73:64:e3:4c:f0
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = IN, ST = Madhya Pradesh, L = Indore, O = linuxtopic, OU = Server Security, CN = LinuxTopic RootCA WebSecurity, emailAddress = lokesh@linuxtopic.com
Validity
Not Before: Sep 16 10:40:01 2023 GMT
Not After : Sep 24 10:40:01 2024 GMT
Subject: CN = LinuxTopic RootCA WebSecurity
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:93:84:39:c8:f9:f5:53:86:af:97:89:d0:cc:95:
3e:32:c6:74:48:43:af:91:21:18:a2:75:16:25:85:
e3:d5:13:3e:5e:27:10:08:32:2a:86:ab:c9:78:63:
02:85:23:e9:81:3f:bb:83:62:e2:f4:bf:c5:77:91:
c9:f3:b1:dc:50:ca:d1:e9:d7:25:63:77:f5:4a:d4:
03:5d:3a:d9:97:ca:d4:c0:a4:0d:dd:63:60:99:f8:
d8:f1:73:f7:e0:a8:bf:31:a5:5a:89:33:15:d6:a8:
6d:92:2a:dd:9c:27:a7:92:27:94:1d:02:d7:b6:72:
21:7c:4e:1d:9e:03:02:a1:6c:b4:18:a5:1f:40:a4:
2b:4b:9f:40:e0:26:81:b8:b7:9d:9d:e9:ef:3c:2c:
a7:32:26:9f:a0:d1:05:0a:63:cd:22:b5:0b:20:be:
d8:42:42:a0:a7:5c:18:68:ff:8c:c8:95:1b:ca:75:
b2:81:c0:9e:23:f1:81:51:a6:6f:d5:bd:90:96:b9:
6c:1b:ad:0e:5d:77:69:b4:be:2b:25:fe:c7:cb:23:
c1:8b:fd:be:b2:0a:0b:fd:2e:53:06:cf:24:9e:7d:
d4:45:b1:1e:0d:fe:bb:41:8f:33:e8:07:0a:74:7e:
b4:c6:84:40:07:71:44:32:27:db:3f:4d:b1:f3:00:
39:c9
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
20:88:A3:8D:45:66:F7:C7:A6:3F:D3:27:D7:B7:A0:75:D3:FA:B9:0C
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
EF:62:FA:DA:FD:3A:20:49:D9:FE:36:FE:48:B9:75:39:5E:04:7B:DF
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
48:7f:ef:ce:4e:ce:8c:8c:d3:4b:40:65:15:20:53:7e:26:9b:
32:c6:9c:9d:a2:24:6e:95:8e:1e:0c:95:3b:56:76:54:07:62:
f2:14:4f:26:21:93:f8:8f:a2:35:88:98:77:51:bf:7b:53:cc:
a3:9c:1c:9d:d9:c4:1d:ed:2e:c6:4e:f2:cc:49:b5:d1:7c:a1:
4e:3d:f2:f1:78:b2:5c:62:15:20:11:cb:9a:77:60:75:67:81:
b0:6f:49:cb:16:67:b8:3f:49:7f:ec:f7:0a:c7:4a:f9:86:e4:
96:a6:c9:08:9e:f6:91:0b:94:f4:26:2a:53:26:38:71:81:5c:
f2:2f:42:f7:98:a3:59:0c:08:4f:25:59:93:dd:9f:64:6a:51:
d9:ec:ab:92:d2:a4:a6:eb:e0:e5:bc:0c:05:30:fb:4b:b4:5a:
e5:91:c9:27:75:22:70:b5:84:f7:4f:cf:5e:9d:9e:f2:61:d8:
09:8e:8b:e4:81:17:ab:7f:b5:07:d6:31:a4:14:f7:5c:44:a9:
9d:d5:5b:ad:da:2e:65:d6:29:58:95:5d:ef:e6:ab:36:25:9b:
f0:cc:7e:e2:0f:aa:18:f3:ff:17:0c:55:cf:9e:76:b3:37:ce:
68:ce:0b:e9:86:eb:06:08:b2:bb:eb:41:93:be:bd:44:ba:30:
cc:4e:6b:3a:c9:e8:8e:6d:65:13:7b:c0:24:cd:c0:60:d6:6d:
98:e2:7f:e0:6b:2a:31:34:af:d6:ed:ab:38:a8:59:ce:d1:d5:
30:4a:c5:02:c5:e9:a6:98:40:03:13:5f:8f:49:fe:bd:56:a4:
74:c0:08:f3:ac:fa:b1:47:c6:86:b8:ba:cc:bc:be:09:43:72:
f3:b4:8d:a0:74:d8:7a:00:39:50:d9:51:fb:ed:f8:62:7a:23:
36:ac:dc:6a:b2:06:53:87:c2:18:3c:6e:4e:39:e1:b5:a3:a9:
50:a6:55:8c:f6:9e:0d:14:55:33:4f:5e:cf:09:11:b2:0f:b0:
6f:65:59:9c:fe:a8:55:5b:94:78:2f:71:f8:fd:48:d9:c8:4c:
f2:72:5a:62:8b:5e:19:f7:34:78:fd:c1:27:0c:f1:81:59:cd:
f2:19:1c:21:e1:59:4f:6f:df:d6:55:ba:17:4c:45:8b:d4:c1:
57:97:13:99:79:39:9c:e0:7e:bc:eb:da:d2:fa:03:fb:f1:fb:
01:23:24:39:d8:55:cd:92:13:2a:9d:40:1a:ca:8c:b5:2b:33:
02:82:01:4f:ad:3b:60:5d:3a:e4:a6:1f:a0:c8:07:c2:0a:db:
d3:6c:54:cc:22:23:e8:cf:b0:0b:7c:47:cb:1e:04:9f:47:a2:
00:05:f7:23:d8:49:ac:4f
How to verify Certificate Private key | How to open private key
openssl rsa -check -in linuxtopic.key -text
Thanks you !!
I hope this topic gave you all the information you needed. If you have any further questions or would like more detailed directions feel free to contact us using any of the following sources.We look forward to talking to you.
