I strongly recommend you to to first have an overview on PKI and all about Certificates before starting with the steps from this article. Now here I will share the steps to generate a self signed certificate using openssl.
Setting Up a Certificate Authority
There are a number of free and commercial CA packages available to generate self signed certificates. The OpenSSL command-line tool even provides all of the functionality required to set up a minimal CA that can be used in a small organization.
I will show you
- how to create a self signed certificate for use by your Certificate Authority (CA),
- how to build a configuration file that OpenSSL can use for your Certificate Authority (CA), and
- how to issue certificates and CRLs with your Certificate Authority (CA).
The very first thing we need to do to get a self signed certificate is install
openssl and it’s dependency rpms using
[[email protected] ~]# yum -y install openssl
Environment for Your Certificate Authority
Within the CA’s root directory, we have two subdirectories i.e
[[email protected] ~]# cd /etc/pki/CA/
Here certs will be used to keep copies of all of the certificates that we issue with our CA.
and private will be used to keep a copy of the CA certificate’s private key
[[email protected] tls]# ls cert.pem certs misc openssl.cnf private
Building an OpenSSL Configuration File
We will make some minor changes to our
/etc/pki/tls/openssl.cnf configuration file. Change the below file name syntax for the certificates we will create
[[email protected] tls]# vim openssl.cnf certificate = $dir/mycert.pem # The CA certificate crl = $dir/mycrl.pem # The current CRL private_key = $dir/private/mykey.pem # The private key
Besides key generation, we will create two files that our CA infrastructure will need.
The first file is used to keep track of the last serial number that was used to issue a certificate. It’s important that no two certificates ever be issued with the same serial number from the same Certificate Authority (CA). We’ll call this file serial and initialize it to contain the number 1. It expects the value to be in hex, and it must contain at least two digits, so we must pad the value by prepending a zero to it.
[[email protected] CA]# echo 01 > serial
The second file is a database of sorts that keeps track of the certificates that have been issued by the CA. Since no certificates have been issued at this point and OpenSSL requires that the file exist, we’ll simply create an empty file. We’ll call this file
[[email protected] tls]# cd /etc/pki/CA/ [[email protected] CA]# touch index.txt
Generate a Self Signed Certificate
To create self signed certificates, before we can begin issuing certificates with our Certificate Authority (CA), it needs a certificate of its own with which to sign the certificates that it issues. This certificate will also be used to sign any CRLs that are published. Any certificate that has the authority to sign certificates and CRLs will do.
Create the certificate and generate a new key pair to go along with it.
[[email protected] CA]# (umask 077; openssl genrsa -out private/myca.key -des3 2048) Generating RSA private key, 2048 bit long modulus ..........................+++ ...................................................................+++ e is 65537 (0x10001) Enter pass phrase for private/myca.key: Verifying - Enter pass phrase for private/myca.key:
[[email protected] CA]# (umask 077; openssl genrsa -out private/mykey.pem -des3 2048) Generating RSA private key, 2048 bit long modulus ..................................+++ ................................+++ e is 65537 (0x10001) Enter pass phrase for private/mykey.pem: Verifying - Enter pass phrase for private/mykey.pem:
When you run the command, OpenSSL prompts you twice to enter a passphrase to encrypt your private key. The key will be encrypted with 3DES, using a key derived from your passphrase.
Create Certificate Authority (CA)
[[email protected] CA]# openssl req -new -x509 -key private/mykey.pem -days 365 > mycert.pem Enter pass phrase for private/mykey.pem: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:IN State or Province Name (full name) :KARNATAKA Locality Name (eg, city) [Default City]:BANGALORE Organization Name (eg, company) [Default Company Ltd]:GoLinuxCloud Organizational Unit Name (eg, section) :TEST Common Name (eg, your name or your server's hostname) :node2.example.com Email Address :[email protected] [[email protected] CA]# (umask 077; openssl genrsa 1024 > serverkey.pem) Generating RSA private key, 1024 bit long modulus .................++++++ .........................++++++ e is 65537 (0x10001)
Everything is now set up for our CA, and it’s time to take it out for a test drive by issuing a certificate. To do that, we need a certificate request.
The command to generate a certificate request is similar to the command we used to create our self-signed root certificate. We use the command-line tool’s req command, but we’ll need to specify some extra parameters.
[[email protected] CA]# (umask 077; openssl req -new -key serverkey.pem -out serverkey.csr) You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:IN State or Province Name (full name) :KARNATAKA Locality Name (eg, city) [Default City]:BANGALORE Organization Name (eg, company) [Default Company Ltd]:GoLinuxCloud Organizational Unit Name (eg, section) :TEST Common Name (eg, your name or your server's hostname) :node2.example.com Email Address : [email protected] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password : An optional company name :
And now we can verify the contents of the CSR.
[[email protected] CA]# openssl req -in serverkey.csr -noout -text Certificate Request: Data: Version: 0 (0x0) Subject: C=IN, ST=KARNATAKA, L=BANGALORE, O=GoLinuxCloud, OU=TEST, CN=node2.example.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: 00:d0:07:fb:cc:ac:7a:21:ee:a3:66:ef:70:e5:77: 6c:be:f3:d3:61:e2:ed:5f:92:bc:35:fc:ba:64:c7: c3:fa:dc:8b:8e:4a:7c:e9:de:d5:b3:05:09:26:b6: 0d:62:07:b8:ab:83:2b:b0:1b:d7:2d:81:ea:80:da: 12:76:e2:ec:30:5f:22:f1:30:7f:0e:ed:df:52:a1: ec:30:9a:09:c9:cf:4d:3a:69:13:05:3b:a8:93:09: 4d:d1:72:76:fc:7f:64:0f:3a:52:b0:fe:86:0f:55: 31:b2:df:0a:d3:6b:96:e3:43:ac:34:e2:c7:34:39: 2a:91:52:5e:a7:54:3b:64:63 Exponent: 65537 (0x10001) Attributes: challengePassword :tmo46713 Signature Algorithm: sha256WithRSAEncryption 6d:45:28:c9:79:54:e4:ab:01:e4:13:3a:87:f8:1e:44:4b:56: 4a:42:bc:4d:e1:3f:be:c9:2e:43:8b:cc:bc:14:52:9a:19:05: 6f:cf:79:ca:dc:ad:25:a7:98:29:1e:bb:13:2f:21:09:0a:38: 40:5c:2f:36:51:e2:dc:05:4a:b0:31:d2:af:48:23:a6:ee:3d: 24:dd:fc:85:40:8d:a8:65:ff:c9:40:ce:7c:e9:cc:6a:6a:43: 74:93:86:23:9f:32:2a:f0:1f:50:07:1f:99:7a:2b:22:3a:aa: 32:ac:3a:47:22:83:d3:36:0a:18:58:c6:f5:be:d8:27:b0:f1: d8:c2
Signing the certificate
With a certificate request now in hand, we can use our CA to issue a self signed certificate.
[[email protected] CA]# openssl ca -in serverkey.csr -out servercert.pem Using configuration from /etc/pki/tls/openssl.cnf Enter pass phrase for /etc/pki/CA/private/mykey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Apr 16 21:31:29 2019 GMT Not After : Apr 15 21:31:29 2020 GMT Subject: countryName = IN stateOrProvinceName = KARNATAKA organizationName = GoLinuxCloud organizationalUnitName = TEST commonName = node2.example.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: C1:8B:8B:C8:F2:3F:93:00:89:E7:D2:B9:18:B5:D7:65:2F:2E:7C:2D X509v3 Authority Key Identifier: keyid:A6:04:F5:9C:35:3F:1F:44:DE:E1:1C:BE:21:BA:DF:7C:F9:D5:75:16 Certificate is to be certified until Apr 15 21:31:29 2020 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
After the command has completed and the certificate has been issued, you should be able to see that information was added to the file
index.txt, OpenSSL’s CA database.
[[email protected] CA]# cat index.txt V 200415213129Z 01 unknown /C=IN/ST=KARNATAKA/O=GoLinuxCloud/OU=TEST/CN=node2.example.com
Finally, you should be able to see that the serial number in the file serial was incremented. When you look at the text dump of the certificate that was created, you’ll notice that it was assigned a serial number of “1”, the number that we used to seed the serial number file.
[[email protected] CA]# cat serial 02
So now normally you would create a server directory in
/etc/pki and copy the key as well as the certificate to the directory
[[email protected] CA]# mkdir /etc/pki/server [[email protected] CA]# cp servercert.pem /etc/pki/server/ [[email protected] CA]# cp serverkey.csr /etc/pki/server/
[[email protected] CA]# mkdir /etc/pki/private [[email protected] CA]# cp serverkey.csr /etc/pki/private/ [[email protected] CA]# cp serverkey.pem /etc/pki/private/
And now that we’ve got the server keys and the server certificate in the correct location, you can do anything you want with it, like configuring an Apache TLS secured house to use this certificate.
[[email protected] CA]# ls -l /etc/pki/server/ total 8 -rw-r--r-- 1 root root 3770 Apr 17 03:02 servercert.pem -rw------- 1 root root 704 Apr 17 03:02 serverkey.csr [[email protected] CA]# ls -l /etc/pki/private/ total 8 -rw------- 1 root root 704 Apr 17 03:03 serverkey.csr -rw------- 1 root root 887 Apr 17 03:03 serverkey.pem
Network Security with OpenSSL
Lastly I hope the steps from the article to generate self signed certificates using openssl on Linux was helpful. So, let me know your suggestions and feedback using the comment section.