Cryptography Certificate - How to self-signed a Certificate (for a test or internal server)

Certificate Validity Period Not Before Not After Portecle

About

When a certificate is used to sign itself, it is called a self signed certificate. All root CA certificates of the certificate chain are self signed.

This article shows you how to create a self-signed SSL CA Certificate.

You can recognize that a certificate is self-signed when the Issuer (the entity that signed the certificate) and Subject (the certificate itself) are identical.

For a web site, this certificate will generate an error in the client browser because the signing certificate authority is not in the truststore. It's then unknown and not trusted.

Steps

Create a private key that identifies the user/application

The private key is a secret that identifies a user or application (ie process). In our case, the application is a web server but it may be any entity (ie user, …)

Cryptographic - Private Key

  • Create a passphrase file with the value as thisIsAVeryLongSecretPassPhrase
echo thisIsAVeryLongSecretPassPhrase > pass.txt
openssl genrsa -des3 -out server.key.pem -passout file:pass.txt
Loading 'screen' into random state - done
Generating RSA private key, 2048 bit long modulus
.......................................................................................................++++++
................++++++
e is 65537 (0x10001)

  • See the raw key value
cat server.key.pem
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,26D0ABB3C2436B9F

uV4Z+doL7edIAxz8QjDNwpv40Y2aX0fC8dILxEHkipto8maO4x7uugu0uY/3GUgz
2Tsdj37/wXEkEUqvmggUXrOEhw6k+GKtEXJVU0KHGVwL3zd1l4rbrJSADwlwncR7
qgozUEqg9+a5YsPwIfbjFlebTmX0UcqcmFJFjyPtZEed/SeJv+WedD3aPWa+fYMi
MBSqyncEezjqQ9XMowL4H7F1MAATrqOrF/ImDyvR/wnvfaBF2kTk8BfGQkzccwzq
YMyb6P0hgkZWgjTqMspHQBZYvpnAZx/GSV2wVImGASuIqjxKqCqw3hvpWLcennCZ
MNegQuioQYiQcWaByekkgpPUidq7bNYpzCF9+7A4AZ7iDJXZWCJq3TlQaDdd2tep
R4a8SbQ6YWYLuo9eZc1Z59Yzz+vqkqfrtXoVb5MCi0pksxHQEnNLsl3jIHTJtcrP
pHlB+23xpK7VtSiIM0QX2NPwTr63ZPs0lAgqWQT//VgM6U9QZzS1ZXI9ViDSQbxV
1kQni7d3jjrbuqS9fY3ScWa1zleZIkglNM+OIGz/X9IlS5hIY4mzQC3EL3kaT7ap
Ha5+DujMPxOduh8gSuta8F7CkSNpi2pbG1Kumi6S8zG7erhb9tqQFEK2iBTVqj4s
forAu0q5ZONCVz77V9oabejWRI3ZqlU8H3BEmcvmhvF3mHC3fw9m5y9BVniBZwrQ
AXLKUiCC2Ps8erDkhl+WPv6gXy/BtrC+tUn+ojrQLAjLTs10SDudx5Mo3iqkGF1v
MKE6Kx06p3AuOIlmo5BTEpDvxvJJ5yeSPi4Xr0dKyGbD1YmuB/+hOw==
-----END RSA PRIVATE KEY-----

Suppress passphrase

When a web server is started, it may ask for the key passphrase if it's defined. The below statement suppress it.

cp server.key.pem server.key_with_pwd.pem
openssl rsa -in server.key_with_pwd.pem -out server.key.pem -passin file:pass.txt
writing RSA key

Generate a CSR (Certificate Signing Request)

Generate a CSR (Certificate Signing Request)

With the openssl req command 1), we are using the configuration file option to pass all parameters and make the process without typing input.

Note that the DN (distinguished name) defined in the config file is composed of 5 fields:

The config.ini file: openssl doesn't read comments in the ini file, you need to suppress them before

; The configuration options of the generation are specified in the req section of the configuration file. 
[ req ]
default_bits		= 1024
distinguished_name	= req_distinguished_name
attributes		= req_attributes
prompt			= no
output_password	= mypass

[ req_distinguished_name ]
C			= NL
ST			= Noord-holland
L			= Oegstgeest
O			= Bytle
OU			= Nerdy
CN			= Foo
emailAddress   = [email protected]

; Request attributes are extra attributes that will be be sent with the certificate request
[ req_attributes ]
challengePassword		= A challenge password

Create a new request

openssl req -new -key server.key.pem -out server.csr -passin file:pass.txt -config config.ini
Loading 'screen' into random state - done

The csr file is by default a Base-64 encoded PEM format.

cat server.csr
-----BEGIN CERTIFICATE REQUEST-----
MIIB/jCCAWcCAQAwgZMxCzAJBgNVBAYTAk5MMRYwFAYDVQQIDA1Ob29yZC1ob2xs
YW5kMRMwEQYDVQQHDApPZWdzdGdlZXN0MRcwFQYDVQQKDA5HZXJhcmRuaWNvLmNv
bTEPMA0GA1UECwwGU2VjcmV0MQ0wCwYDVQQDDAROaWNvMR4wHAYJKoZIhvcNAQkB
Fg9nbmljb0BnbWFpbC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANBN
wGYoOWf8Hh1RhnKj9FDaeUygQDBwCeuk1M4gNMxpoS4HqUHl/6RUraa8mX6hu59i
zRDdR0Y3aW0jePc7qKGBTE3Q01R2llcZr73WqBrmBLc3xh3nx2FnqyCTn6BEWSee
xECM/nrgLAunDW4AjnaEIUViqS2s2lZfscLvNJYXAgMBAAGgKjATBgkqhkiG9w0B
CQIxBgwEbmljbzATBgkqhkiG9w0BCQcxBgwEMTIzNDANBgkqhkiG9w0BAQsFAAOB
gQB6bEyPH9tFSqlhsXXrpmtOTj993OuK2uBOGIrFKkb8nwRCyRh7IzI8vfS2yZA8
ypfl+cQ9/bf/URrbf9hanWPNNZnKHfOFUBV9viXe3E8pMn0dbDiS2rFvYnDS3AMA
T2lU8tTxB69Eqfir0+Z0XOHEuGrBXBgX2c848fYYI+8RIg==
-----END CERTIFICATE REQUEST-----

Signing the certificate

You use the certificate signing request to issue a signed certificate.

Example with openssl x509 command 2)

openssl x509 \
    -req `#input is a certificate request, sign and output` \
    -days 365 `#How long till expiry of a signed certificate - def 30 days` \
    -in server.csr \
    -signkey server.key.pem \
    -passin file:pass.txt \
    -out server.crt
Loading 'screen' into random state - done
Signature ok
subject=/C=NL/ST=Noord-holland/L=Oegstgeest/O=GerardNico/OU=Nerdy/CN=Nico/[email protected]
Getting Private key

cat server.crt
-----BEGIN CERTIFICATE-----
MIICqTCCAhICCQCfl3PFDm8ACDANBgkqhkiG9w0BAQsFADCBmDELMAkGA1UEBhMC
TkwxFjAUBgNVBAgMDU5vb3JkLWhvbGxhbmQxEzARBgNVBAcMCk9lZ3N0Z2Vlc3Qx
EzARBgNVBAoMCkdlcmFyZE5pY28xDjAMBgNVBAsMBU5lcmR5MQ0wCwYDVQQDDARO
aWNvMSgwJgYJKoZIhvcNAQkBFhlOb1dhaXRXaGF0QGdlcmFyZG5pY28uY29tMB4X
DTE4MDIxMjIyMDM1M1oXDTE5MDIxMjIyMDM1M1owgZgxCzAJBgNVBAYTAk5MMRYw
FAYDVQQIDA1Ob29yZC1ob2xsYW5kMRMwEQYDVQQHDApPZWdzdGdlZXN0MRMwEQYD
VQQKDApHZXJhcmROaWNvMQ4wDAYDVQQLDAVOZXJkeTENMAsGA1UEAwwETmljbzEo
MCYGCSqGSIb3DQEJARYZTm9XYWl0V2hhdEBnZXJhcmRuaWNvLmNvbTCBnzANBgkq
hkiG9w0BAQEFAAOBjQAwgYkCgYEAwELjH6xK2Mz2/g0Kuj/dKPFs010+4JBj+tTe
3BtJGvS+ItFrNeKXerfNtLK+XemHilIF8Zk+TRi+5h5FCruWdZBZMegoyvSzBclk
I5BOocZ3XHGpm1xyZ9xxYX9rPbbgoVAhE9rbR5StjnLwl0DSLmoiSohGzAyNXbZc
+AvcDjkCAwEAATANBgkqhkiG9w0BAQsFAAOBgQBAD8yd1rRAx+QCDUTqqgqmt8uq
inZLstSCQ0spgLwLkPCIh2+/RwxSepil4pQefJsZg3jJlRsZtdZjHPQRqQSzsRCl
gd35UMgZ8kX1IVzQdCqUboOepn07MsDPsXdcykQPlsi0Q26R+DUx5nooNdgyF4lC
s+K58eYCVEfbt/+nqw==
-----END CERTIFICATE-----

  • See
openssl x509 -in server.crt -noout -text
Certificate:                                                                                                                    
    Data:                                                                                                                       
        Version: 1 (0x0)                                                                                                        
        Serial Number:                                                                                                          
            9f:97:73:c5:0e:6f:00:08                                                                                             
    Signature Algorithm: sha256WithRSAEncryption                                                                                
        Issuer: C=NL, ST=Noord-holland, L=Oegstgeest, O=GerardNico, OU=Nerdy, CN=Nico/[email protected]    
        Validity                                                                                                                
            Not Before: Feb 12 22:03:53 2018 GMT                                                                                
            Not After : Feb 12 22:03:53 2019 GMT                                                                                
        Subject: C=NL, ST=Noord-holland, L=Oegstgeest, O=GerardNico, OU=Nerdy, CN=Nico/[email protected]   
        Subject Public Key Info:                                                                                                
            Public Key Algorithm: rsaEncryption                                                                                 
                Public-Key: (1024 bit)                                                                                          
                Modulus:                                                                                                        
                    00:c0:42:e3:1f:ac:4a:d8:cc:f6:fe:0d:0a:ba:3f:                                                               
                    dd:28:f1:6c:d3:5d:3e:e0:90:63:fa:d4:de:dc:1b:                                                               
                    49:1a:f4:be:22:d1:6b:35:e2:97:7a:b7:cd:b4:b2:                                                               
                    be:5d:e9:87:8a:52:05:f1:99:3e:4d:18:be:e6:1e:                                                               
                    45:0a:bb:96:75:90:59:31:e8:28:ca:f4:b3:05:c9:                                                               
                    64:23:90:4e:a1:c6:77:5c:71:a9:9b:5c:72:67:dc:                                                               
                    71:61:7f:6b:3d:b6:e0:a1:50:21:13:da:db:47:94:                                                               
                    ad:8e:72:f0:97:40:d2:2e:6a:22:4a:88:46:cc:0c:                                                               
                    8d:5d:b6:5c:f8:0b:dc:0e:39                                                                                  
                Exponent: 65537 (0x10001)                                                                                       
    Signature Algorithm: sha256WithRSAEncryption                                                                                
         40:0f:cc:9d:d6:b4:40:c7:e4:02:0d:44:ea:aa:0a:a6:b7:cb:                                                                 
         aa:8a:76:4b:b2:d4:82:43:4b:29:80:bc:0b:90:f0:88:87:6f:                                                                 
         bf:47:0c:52:7a:98:a5:e2:94:1e:7c:9b:19:83:78:c9:95:1b:                                                                 
         19:b5:d6:63:1c:f4:11:a9:04:b3:b1:10:a5:81:dd:f9:50:c8:                                                                 
         19:f2:45:f5:21:5c:d0:74:2a:94:6e:83:9e:a6:7d:3b:32:c0:                                                                 
         cf:b1:77:5c:ca:44:0f:96:c8:b4:43:6e:91:f8:35:31:e6:7a:                                                                 
         28:35:d8:32:17:89:42:b3:e2:b9:f1:e6:02:54:47:db:b7:ff:                                                                 
         a7:ab                                                                                                                  

Tip: One liner

You can also generate a the private key and the self signed root certificate with one line:

openssl req -x509 -newkey rsa:2048 -nodes -config config.ini -keyout key.pem -out req.pem

More

We used openssl, but you can also used:

  • EasyRsa
  • cfSsl

to sign and issue certificate 3)





Discover More
Card Puncher Data Processing
Apache - Installation of a Private Key and Certificate (mod_ssl)

mod_ssl A private key and a certificate. For a self signed certificate, see When Apache with mod_ssl is installed, it creates several directories in the Apache config directory. Copy the...
Certification Chain Path Chrome Dev
Cyrptography - Certificate chain

A certificate can have been issued (signed) by another CA creating a chain (or path). See certificate chain There are several types of certificate: root certificate. The root of the tree. (All root...
Certificate Validity Period Not Before Not After Portecle
How a certificate is signed ? (known also as issuing or producing)

This article talks how a certificate: is send by a sender (known also as the owner) and gets its signature from a trusted ca to validate the identity of the sender. By signing a certificate, the...
Web Site Certificate
How to enable SSL on a server (ie HTTPS on a web server) ?

This page shows you how to configure a certificate and a private key for a server in order to enable SSL or a web server (http) (ie web site) in order to enable https (ie HTTP over SSL).
Certificate Validity Period Not Before Not After Portecle
Identification Material - X.509 Certificate (or Public Key Certificate) - Crt

A certificate is a document which permits to define with certainty the owner of the private key (ensures that the party you are communicating with is whom you think.) because it's digitally signed A certificate...
Openssl

openssl is a command line tool that: permits testing, managing, and seeing what happens in a TLS world (ie new name for SSL) can act as a network client/server Obtain a valid Certificate for...
Certification Chain Path Chrome Dev
Root Certificate

A root certificate is a CA certificate that is located at the top of the certificate chain. A root ca is a certificate authority certificate that is self signed. This example shows you how to create...



Share this page:
Follow us:
Task Runner