Every few months I find myself scouring the web to find a site to explain how to generate a self-signed certificate, or how to generate a private key for this or that. It seems it is time for me to put it on this site for two reasons. One, it will be easy for me to find. Two, it will hopefully help you with generating these certs and keys in the future.
How To: Generate a CA
Ensure you have Openssl installed on your system.
openssl req -out ca.pem -new -x509 |
This will then prompt you for a few pieces of data:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 | $ openssl req -out ca.pem -new -x509 Generating a 1024 bit RSA private key ........++++++ .............++++++ writing new private key to 'privkey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:CA State or Province Name (full name) [Some-State]:BC Locality Name (eg, city) []:Some City Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []: Email Address []: |
Fill in as much data as possible, this is used to help make this accurate and unique to you. This will generate a CA (certificate file) as a “ca.pem” as well as a CA key of “privkey.pem“. Now that you have that, you can move onto generating some server and client keys.
How To: Generate Server Certificate and Key
There are three steps to this process, with the last step tying the CA cert generated above to your server keys.
openssl genrsa -out server.key 2048 |
The output of this command:
1 2 3 4 5 | $ openssl genrsa -out server.key 2048 Generating RSA private key, 2048 bit long modulus ...................+++ ..+++ e is 65537 (0x10001) |
This will generate a “server.key” file. We then have to make a server.req or request file to be used with our CA. This can be done via.
openssl req -key server.key -new -out server.req |
The execution of that command:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 | $ openssl req -key server.key -new -out server.req You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:CA State or Province Name (full name) [Some-State]:BC Locality Name (eg, city) []:Some City Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []: Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:erik An optional company name []: |
This produced the “server.req” file. Your directory should now contain 4 files:
$ ls
ca.pem privkey.pem server.key server.req |
Finally, the last step brings together the above two. We have to create a file called “file.srl“. This file must contain a two-digit number of any value that is up to you. Create this file now and call it file.srl.
Bringing it all together, we now tie the ca.pem created in the first phase with the server.req file to output a server.pem file. Yes it is all very confusing, the command is:
openssl x509 -req -in server.req -CA ca.pem -CAkey privkey.pem -CAserial file.srl -out server.pem |
This last line will output the “server.pem” file as the server key that we need. The output of this function:
1 2 3 4 5 | $ openssl x509 -req -in server.req -CA ca.pem -CAkey privkey.pem -CAserial file.srl -out server.pem Signature ok subject=/C=CA/ST=BC/L=Some City/O=Internet Widgits Pty Ltd Getting CA Private Key Enter pass phrase for privkey.pem: |
The last line prompts you to enter a password for the private key that you specified in the CA certificate generation phase.
There should now be 6 files in your directory:
$ ls
ca.pem file.srl privkey.pem server.key server.pem server.req |
How To: Generate Client Certificate and Key
The process to create the client cert and key is almost identical to the server generation. However, you can encrypt your client key as this example will show.
First step as in the server key generation:
openssl genrsa -des3 -out client.key 2048 |
The execution of this program:
1 2 3 4 5 6 7 | $ openssl genrsa -des3 -out client.key 2048 Generating RSA private key, 2048 bit long modulus ..............................................................................................................+++ ............+++ e is 65537 (0x10001) Enter pass phrase for client.key: Verifying - Enter pass phrase for client.key: |
You must enter the password for securing the client key in this case. I used DES3 as the encryption scheme. Now we have to make the client request key to be used for tying the CA certificate to our client.
openssl req -key client.key -new -out client.req |
Executing the above command:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 | $ openssl req -key client.key -new -out client.req Enter pass phrase for client.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:CA State or Province Name (full name) [Some-State]:BC Locality Name (eg, city) []:Some City Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []: Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: |
You can optionally set the extra attributes to more uniquely identify your client.
Putting it all together, we use the client request key against the CA cert to tie the two together:
openssl x509 -req -in client.req -CA ca.pem -CAkey privkey.pem -CAserial file.srl -out client.pem |
Executing the process:
1 2 3 4 5 | $ openssl x509 -req -in client.req -CA ca.pem -CAkey privkey.pem -CAserial file.srl -out client.pem Signature ok subject=/C=CA/ST=BC/L=Some City/O=Internet Widgits Pty Ltd Getting CA Private Key Enter pass phrase for privkey.pem: |
You are prompted to enter the password for the private key as specified in phase one of this article.
You should now have all the client, server, and CA data you need for most keying products.
$ ls
ca.pem client.key client.pem client.req file.srl privkey.pem server.key server.pem server.req |
Happy encrypting!
