Creating Self-Signed Certificates Open SSL
This document explains creating self-signed ssl certificate using Open SSL. This tutorial uses binary version of Open SSL (for windows platform) for creating and signing certificates.
1 Open SSL Setup
- Get Open SSL binary version from here and install it.
- Update System’s Path with <Open_SSL_Install_Home>/bin/.
- Create following directory structures
myCA
- Certs
- Private
- Newcerts
- crl
- Create following two files under "myCA" directory
- index.txt
- serial
- Edit "serial" file and put '01' at first line. link
- Copy “openssl.cnf” from <OPEN_SSL_INSTALL_HOME>/share under “myCA”
- Update fields in openssl.cnf as per following example
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = . ## Chenaged ##
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/certs/myca.crt ## Chenaged ##
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/myca.key ## Chenaged ##
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
# Extension copying option: use with caution.
# copy_extensions = copy
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions = crl_ext
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = sha1 # which md to use.
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_match
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
####################################################################In above portion of openssl.cnf file, all updated fields are commented with ## Changed ##
2 Creating Certificate Authority
Navigate to “myCA” folder and execute the command
openssl req -config openssl.my.cnf -new -x509 -extensions v3_ca -keyout private/myca.key -out certs/myca.crt -days 1825
It asks to enter PEM pass phrase and verify it, then It will except following inputs
a) Country Name (2 letter code) [AU]:
b) State or Province Name (full name) [Some-State]:
c) Locality Name (eg, city) []:
d) Organization Name (eg, company) [Internet Widgits Pty Ltd]:
e) Organizational Unit Name (eg, section) []:
f) Common Name (eg, YOUR name) []:
g) Email Address []:
Enter all appropriate information one by one and it will create following two files for you
a) certs/myca.crt
b) private/myca.key
Here is the sample log
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
..++++++
..........++++++
writing new private key to 'private/myca.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:Andhra Pradesh
Locality Name (eg, city) []:Hyderabad
Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Certificate Authority
Organizational Unit Name (eg, section) []:Certificate Authority
Common Name (eg, YOUR name) []:my.ca.com
Email Address []:admin@my.ca.com
3 Creating Server certificate request
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
..++++++
..........++++++
writing new private key to 'private/myca.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:Andhra Pradesh
Locality Name (eg, city) []:Hyderabad
Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Certificate Authority
Organizational Unit Name (eg, section) []:Certificate Authority
Common Name (eg, YOUR name) []:my.ca.com
Email Address []:admin@my.ca.com
Execute following command to create certificate request
openssl req -config openssl.my.cnf -new -nodes -keyout private/server.key -out server.csr -days 365
This except following inputs from user
- Country Name (2 letter code) [AU]:
- State or Province Name (full name) [Some-State]:
- Locality Name (eg, city) []:
- Organization Name (eg, company) [Internet Widgits Pty Ltd]:
- Organizational Unit Name (eg, section) []:
- Common Name (eg, YOUR name) []:
- Email Address []:
Please enter the following 'extra' attributes to be sent with your certificate request
8. A challenge password []:
9. An optional company name []:
This command create “server.csr” file under same directory.
Here is the sample log
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
......................++++++
....................++++++
writing new private key to 'private/server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:Andhra Pradesh
Locality Name (eg, city) []:Hyderabad
Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Web Server
Organizational Unit Name (eg, section) []:Web Server
Common Name (eg, YOUR name) []:nbhydydevatra
Email Address []:admin@nbhydydevatra.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
4 Signing server certificate request with Certificate Authority
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
......................++++++
....................++++++
writing new private key to 'private/server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:Andhra Pradesh
Locality Name (eg, city) []:Hyderabad
Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Web Server
Organizational Unit Name (eg, section) []:Web Server
Common Name (eg, YOUR name) []:nbhydydevatra
Email Address []:admin@nbhydydevatra.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
The server certificate request created in previous step needs to signed by Certificate Authority created in step 3.
To get it signed execute following command
openssl ca -config openssl.my.cnf -policy policy_anything -out certs/server.crt -infiles server.csr
It will ask to enter pass Phrase CA key, it is the same key we have entered in step 4
This command creates “server.cert” file under “certs” directory. This is the signed certificate for the web server (for given domain).
Here is the sample log
Using configuration from openssl.my.cnf
Loading 'screen' into random state - done
Enter pass phrase for ./private/myca.key:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Feb 1 16:09:52 2011 GMT
Not After : Feb 1 16:09:52 2012 GMT
Subject:
countryName = IN
stateOrProvinceName = Andhra Pradesh
localityName = Hyderabad
organizationName = My Web Server
organizationalUnitName = Web Server
commonName = nbhydydevatra
emailAddress = admin@nbhydydevatra.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
86:3E:1C:19:53:5D:FF:00:B1:F7:9A:5B:F8:37:39:28:D8:5C:0A:C3
X509v3 Authority Key Identifier:
keyid:E8:27:1F:25:F5:B0:09:41:A5:B5:C6:93:63:60:D9:14:D0:50:F0:CF
DirName:/C=IN/ST=Andhra Pradesh/L=Hyderabad/O=My Certificate Authority/OU=Certificate Authority/CN=my.ca.com/emailAddress=admin@my.ca.com
serial:CC:B2:24:C3:B5:2C:43:2F
Certificate is to be certified until Feb 1 16:09:52 2012 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Now you have all certificate are available under “certs” and keys are available “private” directory.
your topic is very helpful . I’ll bookmark your site to read again
ReplyDeleteWelcome.
ReplyDeleteI am planning to post part 2 of this post about testing.....