How to create a SSL/TLS certificate (with OpenSSL)

On this article you will learn a basic management to know how to create a self-signed certificates and keys.

To learn more about SSL/TLS go to this post How it works - SSL/TLS protocol and certificate

Table of contents

• Table of contents
• Dependencies
• Some file format overview
• Certificates and keys management
  • Private key creation
  • Public key creation
  • View key content
  • Certificate creation
  • View certificate content
• Certificate Signing Requests (CSRs)
• OpenSSL configuration file
• Tips
• References
  • Certificate Authorities
  • Useful tools

Dependencies

• A GNU/Linux environment
• openssl toolkit

sudo apt install openssl

Some file format overview

Format	Description
.csr	A Certificate Signing Request
.pem	A container format that may include the public certificate, or an entire certificate chain including public key, private key and root certificates
.der	A way to encode ASN.1 syntax in binary, a .pem file is just a Base64 encoded .der file
.cert .cer .crt	PEM (or rarely DER) formatted file with a different extension
.key	PEM formatted file containing just the private-key of a specific certificate and is merely a conventional name and not a standardized one

Certificates and keys management

Private key creation

openssl genrsa -des3 -out <KEY_FILENAME.key> 4096

Where:

• genrsa to generate a standard RSA key (other options; ecparam, dsaparam…).
• -des3 option create a key with DES-3 encrypted password protection (other options; -aes256, -aria128…).
• -out to save.
• 4096 to be a 4096-bit key.

Public key creation

openssl rsa -in <PRIVATE_KEY_FILENAME.key> -pubout -out <PUBLIC_KEY_FILENAME.key>

Where:

• rsa it is necessary to know the format of the key, in this case is a RSA key.
• -in option to pass in the private key file.
• -pubout option specifies that we want to output the public key.
• -out option to say where save the public key file.

View key content

openssl rsa -noout -text -in <KEY_FILENAME.key>

Where:

• rsa it is necessary to know the format of the key, in this case is a RSA key.
• -noout option to tell it to not output the original base64-encoded value.
• -text option to display it in a readable text format.
• -in option to pass in the key file.
• Add -pubin to view contents of a public key stored in a key file.

Certificate creation

You need a private key.

openssl req -new -x509 -days 365 -key <KEY_FILENAME.key> -out <CERTIFICATE_FILEMANE.crt>

Where:

• req creates and processes certificate requests.
• -new option to generate a new certificare request.
• -x509 option to outputs a self signed certificate instead of a certificate request.
• -days <n> when the -x509 option is being used, specifies the number of days of validity of the certificate.
• -key <KEY_FILENAME.key> specifies the file to read the private key from.

View certificate content

openssl x509 -noout -text -in <CERTIFICATE_FILENAME.crt>

Where:

• x509 it is necessary to know the format of the certificate, in this case is a RSA key.
• -noout option to tell it to not output the original base64-encoded value.
• -text option to display it in a readable text format.
• -in option to pass in the key file.

Certificate Signing Requests (CSRs)

A CSR is what you submit to a Certificate Authority (CA) to apply for a digital identity certificate. It includes your public key and other identity information.

OpenSSL configuration file

openssl req -x509 -nodes -sha256 -days 365 -newkey rsa:2048 -keyout key.pem -out cert.pem -config ./certs/openssl.cnf
openssl x509 -outform der -in cert.pem -out certificate.cer

An example of a simple openssl.cnf:

[ req ]
default_bits        = 2048
default_keyfile     = server-key.pem

req_extensions      = req_ext
x509_extensions     = x509_ext # The extensions to add to the self signed cert
string_mask         = utf8only

[ subject ]
countryName                 = Country Name (2 letter code)
countryName_default         = US
stateOrProvinceName         = State or Province Name (full name)
stateOrProvinceName_default = NY
localityName                = Locality Name (eg, city)
localityName_default        = New York
organizationName            = Organization Name (eg, company)
organizationName_default    = Example, LLC
commonName                  = Common Name (e.g. server FQDN or YOUR name)
commonName_default          = Example LLC
emailAddress                = Email Address
emailAddress_default        = test@example.com

[ x509_ext ]
subjectAltName = @alt_names

[ req_ext ]
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = jt_xps
URI.1 = urn:freeopcua:client

Tips

• This is important. Back up your certificate and key to external storage.
• Restrict the key’s permissions so that only root can access it -> chmod 400 /root/certs/MyKey.key.

References

• https://www.linode.com/docs/guides/create-a-self-signed-tls-certificate/
• https://www.golinuxcloud.com/openssl-view-certificate/
• What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?
• OpenSSL cheatsheet
• OpenSSL Cookbook
• https://jamielinux.com/docs/openssl-certificate-authority/create-the-root-pair.html

Certificate Authorities

• Let’s encrypt (it is a free option)

Useful tools

• OpenSSL
• LibreSSL
• X509 Certificate Generator
• Mozilla SSL Configuration Generator
• Country Codes