Openssl Generate Self Signed Certificate With Private Key
Openssl Generate Self Signed Certificate With Private Key 5,0/5 2350 reviews

I'm adding HTTPS support to an embedded Linux device. I have tried to generate a self-signed certificate with these steps: openssl req -new cert.csr openssl rsa -in privkey.pem -out key.pem o. Mar 28, 2014  SSH private / public key pair & self sign certificate. One of the most common forms of cryptography today is public-key cryptography helps to communicate two system by encrypting information using the public key and information can be decrypted using private key. These keys are using mainly on login to server securely and also transferring data securely.

  1. Openssl Create Self Signed Cert
  2. Openssl Generate Self Signed Certificate With Private Key Code
  3. Generate Ssl Certificate Using Openssl
  4. Openssl Generate Self Signed Certificate With Private Key Search
Use openssl to create an x509 self-signed certificate authority (CA), certificate signing request (CSR), and resulting private key with IP SAN and DNS SAN
create-certs.sh
# Define where to store the generated certs and metadata.
DIR='$(pwd)/tls'
# Optional: Ensure the target directory exists and is empty.
rm -rf '${DIR}'
mkdir -p '${DIR}'
# Create the openssl configuration file. This is used for both generating
# the certificate as well as for specifying the extensions. It aims in favor
# of automation, so the DN is encoding and not prompted.
cat >'${DIR}/openssl.cnf'<<EOF
[req]
default_bits = 2048
encrypt_key = no # Change to encrypt the private key using des3 or similar
default_md = sha256
prompt = no
utf8 = yes
# Speify the DN here so we aren't prompted (along with prompt = no above).
distinguished_name = req_distinguished_name
# Extensions for SAN IP and SAN DNS
req_extensions = v3_req
# Be sure to update the subject to match your organization.
[req_distinguished_name]
C = US
ST = California
L = The Cloud
O = Demo
CN = My Certificate
# Allow client and server auth. You may want to only allow server auth.
# Link to SAN names.
[v3_req]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, serverAuth
subjectAltName = @alt_names
# Alternative names are specified as IP.# and DNS.# for IP addresses and
# DNS accordingly.
[alt_names]
IP.1 = 1.2.3.4
DNS.1 = my.dns.name
EOF
# Create the certificate authority (CA). This will be a self-signed CA, and this
# command generates both the private key and the certificate. You may want to
# adjust the number of bits (4096 is a bit more secure, but not supported in all
# places at the time of this publication).
#
# To put a password on the key, remove the -nodes option.
#
# Be sure to update the subject to match your organization.
openssl req
-new
-newkey rsa:2048
-days 120
-nodes
-x509
-subj '/C=US/ST=California/L=The Cloud/O=My Company CA'
-keyout '${DIR}/ca.key'
-out '${DIR}/ca.crt'
#
# For each server/service you want to secure with your CA, repeat the
# following steps:
#
# Generate the private key for the service. Again, you may want to increase
# the bits to 4096.
openssl genrsa -out '${DIR}/my-service.key' 2048
# Generate a CSR using the configuration and the key just generated. We will
# give this CSR to our CA to sign.
openssl req
-new -key '${DIR}/my-service.key'
-out '${DIR}/my-service.csr'
-config '${DIR}/openssl.cnf'
# Sign the CSR with our CA. This will generate a new certificate that is signed
# by our CA.
openssl x509
-req
-days 120
-in '${DIR}/my-service.csr'
-CA '${DIR}/ca.crt'
-CAkey '${DIR}/ca.key'
-CAcreateserial
-extensions v3_req
-extfile '${DIR}/openssl.cnf'
-out '${DIR}/my-service.crt'
# (Optional) Verify the certificate.
openssl x509 -in '${DIR}/my-service.crt' -noout -text
# Here is a sample response (truncate):
#
# Certificate:
# Signature Algorithm: sha256WithRSAEncryption
# Issuer: C = US, ST = California, L = The Cloud, O = My Organization CA
# Subject: C = US, ST = California, L = The Cloud, O = Demo, CN = My Certificate
# # ..
# X509v3 extensions:
# X509v3 Basic Constraints:
# CA:FALSE
# X509v3 Subject Key Identifier:
# 36:7E:F0:3D:93:C6:ED:02:22:A9:3D:FF:18:B6:63:5F:20:52:6E:2E
# X509v3 Key Usage:
# Digital Signature, Key Encipherment
# X509v3 Extended Key Usage:
# TLS Web Client Authentication, TLS Web Server Authentication
# X509v3 Subject Alternative Name:
# IP Address:1.2.3.4, DNS:my.dns.name
#
Sign up for freeto join this conversation on GitHub. Already have an account? Sign in to comment

If you want to convert your website from HTTP to HTTPS, you need to get a SSL certificate from a valid organization like Verisign or Thawte. You can also generate self signed SSL certificate for testing purpose.

In this article, let us review how to generate private key file (server.key), certificate signing request file (server.csr) and webserver certificate file (server.crt) that can be used on Apache server with mod_ssl.

Key, CSR and CRT File Naming Convention

Openssl Create Self Signed Cert

I typically like to name the files with the domain name of the HTTPS URL that will be using this certificate. This makes it easier to identify and maintain.

  • Instead of server.key, I use www.thegeekstuff.com.key
  • Instead of server.csr, I use www.thegeekstuff.com.csr
  • Instead of server.crt, I use www.thegeekstuff.com.crt

1. Generate Private Key on the Server Running Apache + mod_ssl

First, generate a private key on the Linux server that runs Apache webserver using openssl command as shown below.

The generated private key looks like the following.

Openssl Generate Self Signed Certificate With Private Key Code

2. Generate a Certificate Signing Request (CSR)

Using the key generate above, you should generate a certificate request file (csr) using openssl as shown below.

Generate Ssl Certificate Using Openssl

3. Generate a Self-Signed SSL Certificate

For testing purpose, you can generate a self-signed SSL certificate that is valid for 1 year using openssl command as shown below.


You can use this method to generate Apache SSL Key, CSR and CRT file in most of the Linux, Unix systems including Ubuntu, Debian, CentOS, Fedora and Red Hat.

Delete and Backspace. Getting Delete and Backspace to work just right is nontrivial, especially in a mixed environment, where you talk to console, to X, to bash, to emacs, login remotely, etc.You may have to edit several configuration files to tell all of the programs involved precisely what you want. What key combination generates a backspace character in cmd 1.

4. Get a Valid Trial SSL Certificate (Optional)

Instead of signing it youself, you can also generate a valid trial SSL certificate from thawte. i.e Before spending the money on purchasing a certificate, you can also get a valid fully functional 21 day trial SSL certificates from Thawte. Once this valid certificate works, you can either decide to purchase it from Thawte or any other SSL signing organization.

This step is optional and not really required. For testing purpose, you can always use the self-signed certificate that was generated from the above step.

Go to Thwate trial certificate request page and do the following:

  • Select “SSL Web Server Certificate (All servers)” under the “select your trial certificate”.
  • Do not check the PKCS #7 check-box under the “configure certificate”
  • Copy/Paste the *.csr file that you generate above in the textbox under “certificate signing request (CSR)”
  • Click on next at the bottom, which will give you a 21-day free trial certificate.


Copy/Paste the trial certificate to the www.thegeekstuff.com.crt file as shown below.

Key
> Add your comment

If you enjoyed this article, you might also like.



Next post: Google Chrome OS – Beginning of End of Microsoft?

Previous post: Blog Makeover: New Thesis Theme In Action