SSL Tutorial #1: Creating Self-signed SSL CA Certificate and Issuing Own Domain Certificate

Uncategorized / By /

Create a single self-signed website cert

If you only need a cert for one or a few domains, there is no need to create a CA cert. A single website cert is enough.

Generate SSL key and cert file

openssl req -x509 -days 3650 -newkey rsa:2048 -nodes -keyout mydomain.key -out mydomain.crt

Explanation:

  • openssl — A widely used application to generate SSL keys.
  • req — Tell OpenSSL that you want to generate keys and certs.
  • -x509 — Tell OpenSSL that to generate self-signed cert file, not cert request file.
  • -days 3650 — The cert will be valid for 3650 days (approx 10 years).
  • -newkey rsa:2048 — The cert will be encrypted using RSA method, key length is 2048 bits.
  • -nodes — Read as ‘No -des’, meaning w/o passphrase. You may remove this option for enhanced safety, but will be inconvenient because you have to enter passphrase every time you start Apache/Nginx.
  • -keyout mydomain.key — Write key to myca.key file. You can specify your own file name.
  • -out mydomain.crt — Write cert to myca.crt file. You can specify your own file name.

Specify cert details

You’ll see something like this:

Generating a 4096 bit RSA private key
..........................++
....................++
writing new private key to 'mydomain.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----

Then like this:

Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:California
Locality Name (eg, city) [Default City]:Los Angeles
Organization Name (eg, company) [Default Company Ltd]:Example & Co.
Organizational Unit Name (eg, section) []:Public Relationship
Common Name (eg, your name or your server's hostname) []:blog.example.com
Email Address []:john.smith@example.com

Explanation:
You can leave anything blank except ‘Common Name’. Common name is your exact domain name (e.g. blog.example.com). You may use * for wildcard (e.g. *.example.com), which covers all subdomains except ‘example.com’.

See Tutorial #2 on how to configure SSL on Apache on SL6/CentOS6.

Creating a self-signed CA cert

Generate SSL key and cert file

openssl req -x509 -days 3650 -newkey rsa:4096 -nodes -keyout myca.key -out myca.crt

See 1.1 above for explanation.

Specify cert details

See 1.2 above for explanation, except that you may write anything to ‘Common name’.

Issue a website cert using CA cert

Create a website cert request

mkdir mysite
cp myca.key mysite/ca.key
cp myca.crt mysite/ca.crt
cd mysite
openssl req -new -newkey rsa:2048 -nodes -keyout mysite.key -out mysite.csr

Essentially, this is similar to 1.1, except that:

  1. you don’t specify -x509 option but -new option, meaning you get a cert request rather than cert file.
  2. no need to specify -days option.

Sign with CA cert

Although you may use OpenSSL to sign the CA cert, it is better to utilize a shell script.

wget http://www.modssl.org/source/mod_ssl-2.8.31-1.3.41.tar.gz
tar xvf mod_ssl-2.8.31-1.3.41.tar.gz
cp mod_ssl-2.8.31-1.3.41/pkg.contrib/sign.sh .
chmod 744 sign.sh

You need to modify it before running it.

  1. Change the line default_days = 365 to default_days = 3650, i.e. 10 yrs.
  2. Change the line default_md = md5 to default_md = sha1, because Firefox 16+ thinks md5 is a vulnerable signature algorithm and will display a warning.
  3. If you have already created any website certs with this CA cert, then change the line echo '01' >ca.db.serial to a greater number, because Firefox will block the cert if duplicated serial number is found.

Then run the script.

./sign.sh mysite.csr

That’s it! Now you get mysite.crt which is authenticated by myca.crt.

See Tutorial #2 on how to configure SSL on Apache on SL6/CentOS6.

Caveat on playing with cert files

You may have come across these files: .csr, .crt, .key, .pem, etc. What are they?

  • .csr — Certificate Signing Request. This file contains your information inputted in section 1.1 above and public key. Used to request signing from CA. Can be publicly exposed.
  • .crt, .cer — Certificate. This is your certificate file which contains your information, public key and signature. It differs from .csr in that it is signed — either by a CA or yourself. Can and should be publicly released.
  • bundle.crt — CA Certificate Bundle. This is a collection of CA certs which contains any intermediate CA certs and a root CA cert. Can be publicly exposed.
  • .key — Private Key. This is your private key in encryption algorithm. NEVER expose it to public! It is said that private keys of root CA’s are physically locked in coffer.
  • .pem — Privacy Enhanced Mail. This includes both public key and private key. Never expose it to public.
  • .der — Distinguished Encoding Rules. Basically the same as .pem, but in binary rather than in base64.
  • .p7b, .p12, .pfx, etc. — May contains multiple certs and keys. Also never expose to public.

Reference

  1. OpenSSL: Documents, req(1)
  2. OpenSSL: Documents, ca(1)

Leave a Comment

Your email address will not be published. Required fields are marked *