Cryptography Certificate - How to self-signed a Certificate (for a test or internal server)

About

When a certificate is used to sign itself, it is called a self signed certificate. All root CA certificates of the certificate chain are self signed.

This article shows you how to create a self-signed SSL Certificate.

For a web site, this certificate will generate an error in the client browser because the signing certificate authority is not in the truststore. It's then unknown and not trusted.

Steps

Create a private key

See Cryptographic - Private Key

  • Create a passphrase file with the value as thisIsAVeryLongSecretPassPhrase
echo thisIsAVeryLongSecretPassPhrase > pass.txt
openssl genrsa -des3 -out server.key.pem -passout file:pass.txt 1024
Loading 'screen' into random state - done
Generating RSA private key, 1024 bit long modulus
.......................................................................................................++++++
................++++++
e is 65537 (0x10001)
  • See the raw key value
cat server.key.pem
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,26D0ABB3C2436B9F

uV4Z+doL7edIAxz8QjDNwpv40Y2aX0fC8dILxEHkipto8maO4x7uugu0uY/3GUgz
2Tsdj37/wXEkEUqvmggUXrOEhw6k+GKtEXJVU0KHGVwL3zd1l4rbrJSADwlwncR7
qgozUEqg9+a5YsPwIfbjFlebTmX0UcqcmFJFjyPtZEed/SeJv+WedD3aPWa+fYMi
MBSqyncEezjqQ9XMowL4H7F1MAATrqOrF/ImDyvR/wnvfaBF2kTk8BfGQkzccwzq
YMyb6P0hgkZWgjTqMspHQBZYvpnAZx/GSV2wVImGASuIqjxKqCqw3hvpWLcennCZ
MNegQuioQYiQcWaByekkgpPUidq7bNYpzCF9+7A4AZ7iDJXZWCJq3TlQaDdd2tep
R4a8SbQ6YWYLuo9eZc1Z59Yzz+vqkqfrtXoVb5MCi0pksxHQEnNLsl3jIHTJtcrP
pHlB+23xpK7VtSiIM0QX2NPwTr63ZPs0lAgqWQT//VgM6U9QZzS1ZXI9ViDSQbxV
1kQni7d3jjrbuqS9fY3ScWa1zleZIkglNM+OIGz/X9IlS5hIY4mzQC3EL3kaT7ap
Ha5+DujMPxOduh8gSuta8F7CkSNpi2pbG1Kumi6S8zG7erhb9tqQFEK2iBTVqj4s
forAu0q5ZONCVz77V9oabejWRI3ZqlU8H3BEmcvmhvF3mHC3fw9m5y9BVniBZwrQ
AXLKUiCC2Ps8erDkhl+WPv6gXy/BtrC+tUn+ojrQLAjLTs10SDudx5Mo3iqkGF1v
MKE6Kx06p3AuOIlmo5BTEpDvxvJJ5yeSPi4Xr0dKyGbD1YmuB/+hOw==
-----END RSA PRIVATE KEY-----

Suppress passphrase

When a server is started, it may ask for the key passphrase if it's defined. The below statement suppress it.

cp server.key.pem server.key_with_pwd.pem
openssl rsa -in server.key_with_pwd.pem -out server.key.pem -passin file:pass.txt
writing RSA key

Generate a CSR (Certificate Signing Request)

Generate a CSR (Certificate Signing Request)

With a configuration file ?, see the -config filename option.

  • We are using the configuration file option to pass all parameters and make the process without typing input. <note important>openssl doesn't read comments in the ini file, you need to suppress them before</note>
; The configuration options of the generation are specified in the req section of the configuration file. 
[ req ]
default_bits		= 1024
istinguished_name	= req_distinguished_name
attributes		= req_attributes
prompt			= no
output_password	= mypass

 [ req_distinguished_name ]
C			= NL
ST			= Noord-holland
L			= Oegstgeest
O			= GerardNico
OU			= Nerdy
CN			= Nico
emailAddress		= [email protected]

; Request attributes are extra attributes that will be be sent with the certificate request
[ req_attributes ]
challengePassword		= A challenge password
openssl req -new -key server.key.pem -out server.csr -passin file:pass.txt -config config.ini
Loading 'screen' into random state - done
  • The csr file is by default a Base-64 encoded PEM format.
cat server.csr
-----BEGIN CERTIFICATE REQUEST-----
MIIB/jCCAWcCAQAwgZMxCzAJBgNVBAYTAk5MMRYwFAYDVQQIDA1Ob29yZC1ob2xs
YW5kMRMwEQYDVQQHDApPZWdzdGdlZXN0MRcwFQYDVQQKDA5HZXJhcmRuaWNvLmNv
bTEPMA0GA1UECwwGU2VjcmV0MQ0wCwYDVQQDDAROaWNvMR4wHAYJKoZIhvcNAQkB
Fg9nbmljb0BnbWFpbC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANBN
wGYoOWf8Hh1RhnKj9FDaeUygQDBwCeuk1M4gNMxpoS4HqUHl/6RUraa8mX6hu59i
zRDdR0Y3aW0jePc7qKGBTE3Q01R2llcZr73WqBrmBLc3xh3nx2FnqyCTn6BEWSee
xECM/nrgLAunDW4AjnaEIUViqS2s2lZfscLvNJYXAgMBAAGgKjATBgkqhkiG9w0B
CQIxBgwEbmljbzATBgkqhkiG9w0BCQcxBgwEMTIzNDANBgkqhkiG9w0BAQsFAAOB
gQB6bEyPH9tFSqlhsXXrpmtOTj993OuK2uBOGIrFKkb8nwRCyRh7IzI8vfS2yZA8
ypfl+cQ9/bf/URrbf9hanWPNNZnKHfOFUBV9viXe3E8pMn0dbDiS2rFvYnDS3AMA
T2lU8tTxB69Eqfir0+Z0XOHEuGrBXBgX2c848fYYI+8RIg==
-----END CERTIFICATE REQUEST-----

Signing the certificate

openssl x509 \
    -req `#input is a certificate request, sign and output` \
    -days 365 `#How long till expiry of a signed certificate - def 30 days` \
    -in server.csr \
    -signkey server.key.pem \
    -passin file:pass.txt \
    -out server.crt
Loading 'screen' into random state - done
Signature ok
subject=/C=NL/ST=Noord-holland/L=Oegstgeest/O=GerardNico/OU=Nerdy/CN=Nico/[email protected]
Getting Private key
cat server.crt
-----BEGIN CERTIFICATE-----
MIICqTCCAhICCQCfl3PFDm8ACDANBgkqhkiG9w0BAQsFADCBmDELMAkGA1UEBhMC
TkwxFjAUBgNVBAgMDU5vb3JkLWhvbGxhbmQxEzARBgNVBAcMCk9lZ3N0Z2Vlc3Qx
EzARBgNVBAoMCkdlcmFyZE5pY28xDjAMBgNVBAsMBU5lcmR5MQ0wCwYDVQQDDARO
aWNvMSgwJgYJKoZIhvcNAQkBFhlOb1dhaXRXaGF0QGdlcmFyZG5pY28uY29tMB4X
DTE4MDIxMjIyMDM1M1oXDTE5MDIxMjIyMDM1M1owgZgxCzAJBgNVBAYTAk5MMRYw
FAYDVQQIDA1Ob29yZC1ob2xsYW5kMRMwEQYDVQQHDApPZWdzdGdlZXN0MRMwEQYD
VQQKDApHZXJhcmROaWNvMQ4wDAYDVQQLDAVOZXJkeTENMAsGA1UEAwwETmljbzEo
MCYGCSqGSIb3DQEJARYZTm9XYWl0V2hhdEBnZXJhcmRuaWNvLmNvbTCBnzANBgkq
hkiG9w0BAQEFAAOBjQAwgYkCgYEAwELjH6xK2Mz2/g0Kuj/dKPFs010+4JBj+tTe
3BtJGvS+ItFrNeKXerfNtLK+XemHilIF8Zk+TRi+5h5FCruWdZBZMegoyvSzBclk
I5BOocZ3XHGpm1xyZ9xxYX9rPbbgoVAhE9rbR5StjnLwl0DSLmoiSohGzAyNXbZc
+AvcDjkCAwEAATANBgkqhkiG9w0BAQsFAAOBgQBAD8yd1rRAx+QCDUTqqgqmt8uq
inZLstSCQ0spgLwLkPCIh2+/RwxSepil4pQefJsZg3jJlRsZtdZjHPQRqQSzsRCl
gd35UMgZ8kX1IVzQdCqUboOepn07MsDPsXdcykQPlsi0Q26R+DUx5nooNdgyF4lC
s+K58eYCVEfbt/+nqw==
-----END CERTIFICATE-----
  • See
openssl x509 -in server.crt -noout -text
Certificate:                                                                                                                    
    Data:                                                                                                                       
        Version: 1 (0x0)                                                                                                        
        Serial Number:                                                                                                          
            9f:97:73:c5:0e:6f:00:08                                                                                             
    Signature Algorithm: sha256WithRSAEncryption                                                                                
        Issuer: C=NL, ST=Noord-holland, L=Oegstgeest, O=GerardNico, OU=Nerdy, CN=Nico/[email protected]    
        Validity                                                                                                                
            Not Before: Feb 12 22:03:53 2018 GMT                                                                                
            Not After : Feb 12 22:03:53 2019 GMT                                                                                
        Subject: C=NL, ST=Noord-holland, L=Oegstgeest, O=GerardNico, OU=Nerdy, CN=Nico/[email protected]   
        Subject Public Key Info:                                                                                                
            Public Key Algorithm: rsaEncryption                                                                                 
                Public-Key: (1024 bit)                                                                                          
                Modulus:                                                                                                        
                    00:c0:42:e3:1f:ac:4a:d8:cc:f6:fe:0d:0a:ba:3f:                                                               
                    dd:28:f1:6c:d3:5d:3e:e0:90:63:fa:d4:de:dc:1b:                                                               
                    49:1a:f4:be:22:d1:6b:35:e2:97:7a:b7:cd:b4:b2:                                                               
                    be:5d:e9:87:8a:52:05:f1:99:3e:4d:18:be:e6:1e:                                                               
                    45:0a:bb:96:75:90:59:31:e8:28:ca:f4:b3:05:c9:                                                               
                    64:23:90:4e:a1:c6:77:5c:71:a9:9b:5c:72:67:dc:                                                               
                    71:61:7f:6b:3d:b6:e0:a1:50:21:13:da:db:47:94:                                                               
                    ad:8e:72:f0:97:40:d2:2e:6a:22:4a:88:46:cc:0c:                                                               
                    8d:5d:b6:5c:f8:0b:dc:0e:39                                                                                  
                Exponent: 65537 (0x10001)                                                                                       
    Signature Algorithm: sha256WithRSAEncryption                                                                                
         40:0f:cc:9d:d6:b4:40:c7:e4:02:0d:44:ea:aa:0a:a6:b7:cb:                                                                 
         aa:8a:76:4b:b2:d4:82:43:4b:29:80:bc:0b:90:f0:88:87:6f:                                                                 
         bf:47:0c:52:7a:98:a5:e2:94:1e:7c:9b:19:83:78:c9:95:1b:                                                                 
         19:b5:d6:63:1c:f4:11:a9:04:b3:b1:10:a5:81:dd:f9:50:c8:                                                                 
         19:f2:45:f5:21:5c:d0:74:2a:94:6e:83:9e:a6:7d:3b:32:c0:                                                                 
         cf:b1:77:5c:ca:44:0f:96:c8:b4:43:6e:91:f8:35:31:e6:7a:                                                                 
         28:35:d8:32:17:89:42:b3:e2:b9:f1:e6:02:54:47:db:b7:ff:                                                                 
         a7:ab                                                                                                                  

Documentation / Reference


Powered by ComboStrap