tl;dr
Living in a secure world!
$ cd pki/
# create CA certificate / private key
$ openssl req -x509 -newkey rsa:4096 -keyout ca.key.pem -out ca.cert.pem -days 1095 -nodes
# create server CSR / private key
$ openssl req -newkey rsa:4096 -keyout server.key.pem -out server.cert.csr -days 1095 -nodes
# sign and create server certificate
$ openssl x509 -req -days 1095 -in server.cert.csr -CA ca.cert.pem -CAkey ca.key.pem -CAcreateserial -out server.cert.pem
Why do I need to do that?
Generating a self-signed Certificate Authority (CA) and an associated server certificate may be useful in different scenarios:
- Securing SSL communications with its own SSL server (Web server, IRC server, etc.)
- Configuring a VPN with certificate authentication (eg: strongSwan)
- Testing purpose when auditing a client application and realizing a man-in-the-middle attack between the application and a remote server
Some explanation on the commands above
CA certificate
First, we generate our CA certificate:
-x509specifies to create the X.509 certificate (instead of a Certificate Signing Request, a.k.a. CSR)-newkey rsa:4096specifies to generate a 4096-bit RSA key-keyoutand-outare respectively used to specify the CA key and CA certificate file names-days 1095specifies a validity of 3 years (3*365=1095 days) for the certificate / key-nodesspecifies not to encrypt the private key
We use the “My CA” name for our “Common Name” (CN) here but it does not really matter. We will see later the CN that matters is the server one.
~$ cd pki/
~/pki$ openssl req -x509 -newkey rsa:4096 -keyout ca.key.pem -out ca.cert.pem -days 1095 -nodes
Generating a 4096 bit RSA private key
.............................................++
...............................................................................................................................................................................................++
writing new private key to 'ca.key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:FR
State or Province Name (full name) [Some-State]:France
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:My CA
Email Address []:
Server CSR
The next step is to generate our server Certificate Signing Request (CSR). We cannot directly create our server certificate using a one-line command because we need to create a request that will later be signed with the CA private key.
- We omit
-x509here because we create a Certificate Signing Request, a.k.a CSR (and not directly a X.509 certificate)
Everything else has already been commented. Let’s just notice that the -out option is followed by a .csr filename because, again, we are creating a CSR and not (yet) a server certificate.
Here, we need to specify a “Common Name” that matches what the client uses when connecting to our server. For example, we use:
- 192.168.100.18 if our server is in a LAN
- 123.456.789.10 if our server is publicly available on the Internet and no DNS is configured
- myserver.com if our server has a configured DNS (and the client is using it!)
Important note: The “common name” is really important if we need to secure the communications, which is basically what we are trying to do since we are using SSL/TLS.
~/pki$ openssl req -newkey rsa:4096 -keyout server.key.pem -out server.cert.csr -days 1095 -nodes
Generating a 4096 bit RSA private key
..................................................................................................................................................................................................................................................................................................++
............................................................................................++
writing new private key to 'server.key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:FR
State or Province Name (full name) [Some-State]:France
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:192.168.100.18
Email Address []:
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Signing the server certificate
Finally, we sign the server Certificate Signing Request with our CA and create the server certificate:
-x509specifies to create the X.509 certificate-inspecifies the CSR filename used as input and-outspecifies the output server certificate filename-CAspecifies CA certificate and-CAkeyspecifies CA private key-CAcreateserialspecifies to generate a serial for this certificate
This is what it looks like:
~/pki$ openssl x509 -req -days 1095 -in server.cert.csr -CA ca.cert.pem -CAkey ca.key.pem -CAcreateserial -out server.cert.pem
Signature ok
subject=/C=FR/ST=France/O=Internet Widgits Pty Ltd/CN=192.168.100.18
Getting CA Private Key
So what do we have now?
We remove the CA private key because we do not want another server certificate to be signed by it. It is indeed the case because we need to add the CA certificate to our trusted certificates key store (eg: certmgr.msc under Windows).
~/pki$ rm ca.srl ca.key.pem server.cert.csr
~/pki$ ls
ca.cert.pem server.cert.pem server.key.pem
ca.cert.pemis the self-signed CA certificateserver.cert.pemis the server certificate with correct Common Name (CN) field and signed the the CAserver.key.pemis the server private key
We append all these files, in one file, (in that order, from the “most private” to the “most public” key). It is ready to be used by our server.
~/pki$ cat server.key.pem server.cert.pem ca.cert.pem > mytrustedchain.pem






