I strongly recommend you to to first have an overview on PKI and all about Certificates before starting with the steps from this article. Now here I will share the steps to generate a self signed certificate using openssl.

How to generate self signed certificate using openssl in Linux

 

Setting Up a Certificate Authority

There are a number of free and commercial CA packages available to generate self signed certificates. The OpenSSL command-line tool even provides all of the functionality required to set up a minimal CA that can be used in a small organization.

I will show you

  • how to create a self signed certificate for use by your Certificate Authority (CA),
  • how to build a configuration file that OpenSSL can use for your Certificate Authority (CA), and
  • how to issue certificates and CRLs with your Certificate Authority (CA).

 

Install openssl

The very first thing we need to do to get a self signed certificate is install openssl and it’s dependency rpms using yum command

[[email protected] ~]# yum -y install openssl

 

Environment for Your Certificate Authority

Within the CA’s root directory, we have two subdirectories i.e certs and private .

[[email protected] ~]# cd /etc/pki/CA/

Here certs will be used to keep copies of all of the certificates that we issue with our CA.
and private will be used to keep a copy of the CA certificate’s private key

[[email protected] tls]# ls
cert.pem  certs  misc  openssl.cnf  private

 

Building an OpenSSL Configuration File

We will make some minor changes to our /etc/pki/tls/openssl.cnf configuration file. Change the below file name syntax for the certificates we will create

[[email protected] tls]# vim openssl.cnf
certificate     = $dir/mycert.pem        # The CA certificate
crl             = $dir/mycrl.pem         # The current CRL
private_key     = $dir/private/mykey.pem # The private key

Besides key generation, we will create two files that our CA infrastructure will need.

The first file is used to keep track of the last serial number that was used to issue a certificate. It’s important that no two certificates ever be issued with the same serial number from the same Certificate Authority (CA). We’ll call this file serial and initialize it to contain the number 1. It expects the value to be in hex, and it must contain at least two digits, so we must pad the value by prepending a zero to it.

[[email protected] CA]# echo 01 > serial

The second file is a database of sorts that keeps track of the certificates that have been issued by the CA. Since no certificates have been issued at this point and OpenSSL requires that the file exist, we’ll simply create an empty file. We’ll call this file index.txt

[[email protected] tls]# cd /etc/pki/CA/
[[email protected] CA]# touch index.txt

 

Generate a Self Signed Certificate

To create self signed certificates, before we can begin issuing certificates with our Certificate Authority (CA), it needs a certificate of its own with which to sign the certificates that it issues. This certificate will also be used to sign any CRLs that are published. Any certificate that has the authority to sign certificates and CRLs will do.

Create the certificate and generate a new key pair to go along with it.

[[email protected] CA]# (umask 077; openssl genrsa -out private/myca.key -des3 2048)
Generating RSA private key, 2048 bit long modulus
..........................+++
...................................................................+++
e is 65537 (0x10001)
Enter pass phrase for private/myca.key:
Verifying - Enter pass phrase for private/myca.key:
[[email protected] CA]# (umask 077; openssl genrsa -out private/mykey.pem -des3 2048)
Generating RSA private key, 2048 bit long modulus
..................................+++
................................+++
e is 65537 (0x10001)
Enter pass phrase for private/mykey.pem:
Verifying - Enter pass phrase for private/mykey.pem:

When you run the command, OpenSSL prompts you twice to enter a passphrase to encrypt your private key. The key will be encrypted with 3DES, using a key derived from your passphrase.

IMPORTANT NOTE:
Remember that this private key is a very important key, so choose your passphrase accordingly. If this key is compromised, the integrity of your CA is compromised, which essentially means that any certificates issued, whether they were issued before the key was compromised or after, can no longer be trusted

 

Create Certificate Authority (CA)

[[email protected] CA]# openssl req -new -x509 -key private/mykey.pem -days 365 > mycert.pem
Enter pass phrase for private/mykey.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:KARNATAKA
Locality Name (eg, city) [Default City]:BANGALORE
Organization Name (eg, company) [Default Company Ltd]:GoLinuxCloud
Organizational Unit Name (eg, section) []:TEST
Common Name (eg, your name or your server's hostname) []:node2.example.com
Email Address []:[email protected]
[[email protected] CA]# (umask 077; openssl genrsa 1024 > serverkey.pem)
Generating RSA private key, 1024 bit long modulus
.................++++++
.........................++++++
e is 65537 (0x10001)

 

Issuing Certificates

Everything is now set up for our CA, and it’s time to take it out for a test drive by issuing a certificate. To do that, we need a certificate request.

The command to generate a certificate request is similar to the command we used to create our self-signed root certificate. We use the command-line tool’s req command, but we’ll need to specify some extra parameters.

[[email protected] CA]# (umask 077; openssl req -new -key serverkey.pem -out serverkey.csr)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:KARNATAKA
Locality Name (eg, city) [Default City]:BANGALORE
Organization Name (eg, company) [Default Company Ltd]:GoLinuxCloud
Organizational Unit Name (eg, section) []:TEST
Common Name (eg, your name or your server's hostname) []:node2.example.com
Email Address []: [email protected]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

And now we can verify the contents of the CSR.

[[email protected] CA]# openssl req -in serverkey.csr -noout -text
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=IN, ST=KARNATAKA, L=BANGALORE, O=GoLinuxCloud, OU=TEST, CN=node2.example.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:d0:07:fb:cc:ac:7a:21:ee:a3:66:ef:70:e5:77:
                    6c:be:f3:d3:61:e2:ed:5f:92:bc:35:fc:ba:64:c7:
                    c3:fa:dc:8b:8e:4a:7c:e9:de:d5:b3:05:09:26:b6:
                    0d:62:07:b8:ab:83:2b:b0:1b:d7:2d:81:ea:80:da:
                    12:76:e2:ec:30:5f:22:f1:30:7f:0e:ed:df:52:a1:
                    ec:30:9a:09:c9:cf:4d:3a:69:13:05:3b:a8:93:09:
                    4d:d1:72:76:fc:7f:64:0f:3a:52:b0:fe:86:0f:55:
                    31:b2:df:0a:d3:6b:96:e3:43:ac:34:e2:c7:34:39:
                    2a:91:52:5e:a7:54:3b:64:63
                Exponent: 65537 (0x10001)
        Attributes:
            challengePassword        :tmo46713
    Signature Algorithm: sha256WithRSAEncryption
         6d:45:28:c9:79:54:e4:ab:01:e4:13:3a:87:f8:1e:44:4b:56:
         4a:42:bc:4d:e1:3f:be:c9:2e:43:8b:cc:bc:14:52:9a:19:05:
         6f:cf:79:ca:dc:ad:25:a7:98:29:1e:bb:13:2f:21:09:0a:38:
         40:5c:2f:36:51:e2:dc:05:4a:b0:31:d2:af:48:23:a6:ee:3d:
         24:dd:fc:85:40:8d:a8:65:ff:c9:40:ce:7c:e9:cc:6a:6a:43:
         74:93:86:23:9f:32:2a:f0:1f:50:07:1f:99:7a:2b:22:3a:aa:
         32:ac:3a:47:22:83:d3:36:0a:18:58:c6:f5:be:d8:27:b0:f1:
         d8:c2

 

Signing the certificate

With a certificate request now in hand, we can use our CA to issue a self signed certificate.

[[email protected] CA]# openssl ca -in serverkey.csr -out servercert.pem
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/mykey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Apr 16 21:31:29 2019 GMT
            Not After : Apr 15 21:31:29 2020 GMT
        Subject:
            countryName               = IN
            stateOrProvinceName       = KARNATAKA
            organizationName          = GoLinuxCloud
            organizationalUnitName    = TEST
            commonName                = node2.example.com
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                C1:8B:8B:C8:F2:3F:93:00:89:E7:D2:B9:18:B5:D7:65:2F:2E:7C:2D
            X509v3 Authority Key Identifier:
                keyid:A6:04:F5:9C:35:3F:1F:44:DE:E1:1C:BE:21:BA:DF:7C:F9:D5:75:16

Certificate is to be certified until Apr 15 21:31:29 2020 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

After the command has completed and the certificate has been issued, you should be able to see that information was added to the file index.txt, OpenSSL’s CA database.

[[email protected] CA]# cat index.txt
V       200415213129Z           01      unknown /C=IN/ST=KARNATAKA/O=GoLinuxCloud/OU=TEST/CN=node2.example.com

Finally, you should be able to see that the serial number in the file serial was incremented. When you look at the text dump of the certificate that was created, you’ll notice that it was assigned a serial number of “1”, the number that we used to seed the serial number file.

[[email protected] CA]# cat serial
02

So now normally you would create a server directory in /etc/pki and copy the key as well as the certificate to the directory

[[email protected] CA]# mkdir /etc/pki/server
[[email protected] CA]# cp servercert.pem /etc/pki/server/
[[email protected] CA]# cp serverkey.csr /etc/pki/server/
[[email protected] CA]# mkdir /etc/pki/private
[[email protected] CA]# cp serverkey.csr /etc/pki/private/
[[email protected] CA]# cp serverkey.pem /etc/pki/private/

And now that we’ve got the server keys and the server certificate in the correct location, you can do anything you want with it, like configuring an Apache TLS secured house to use this certificate.

[[email protected] CA]# ls -l /etc/pki/server/
total 8
-rw-r--r-- 1 root root 3770 Apr 17 03:02 servercert.pem
-rw------- 1 root root  704 Apr 17 03:02 serverkey.csr

[[email protected] CA]# ls -l /etc/pki/private/
total 8
-rw------- 1 root root 704 Apr 17 03:03 serverkey.csr
-rw------- 1 root root 887 Apr 17 03:03 serverkey.pem

 

References;
Network Security with OpenSSL

 

Lastly I hope the steps from the article to generate self signed certificates using openssl on Linux was helpful. So, let me know your suggestions and feedback using the comment section.

Leave a Reply

Your email address will not be published. Required fields are marked *