How to create self-signed certificates

When we create a Web Server that should run over HTTPS we need some server certificate. If the Web Server will be exposed to internet we should buy a certificate signed by a well-known authority but if we are coding a Web Server for some internal or private use we can create our Server Certificate and sign it by ourselves.

All the certificates had to be signed by another certificate. This second certificate have to belong to a Certificate Authority (CA) in which all the clients that will receive the first certificate should trust.

But as I said before, If the clients that will use our Web Server are also our own clients we can specify that the client should trust in any CA Certificate we want.
So we can create our own CA Certificate to later signed any Server Certificate we want to use in a Web Server.

We are going to use openssl for creating the certificates.

CA Certificate

The first step is to create our own CA Certificate. To do that we should run the following commands in a terminal.

  • For generating the Private Key for the CA Certificate.
> openssl genrsa -des3 -out myOwnCA.key 2048

Passphrase: Whatever you want. For example ‘myca’.

  • For generating the CA Certificate (also know as Public Key) to later signed the Server Certificate.
> openssl req -x509 -new -nodes -key myOwnCA.key -sha256 -days 1024 -out myOwnCA.pem

Passphrase: What you put in the previous step.

When we create a certificate openssl asks us some information. We should complete at least Common Name. We can use the default values for the rest of the fields just entering a dot ‘.’

I usually completes 3 fields and for the sake of the example we can set:
1) Country Name as ‘US’
2) Organization Name as ‘My Organization’
3) Common Name with ‘MyOwnCA’

Server Certificate

Once we created the CA Certificate we have to proceed to create the Server Certificate. To do that we should run the following commands in a terminal.

  • For generating a Private Key for the Server Certificate. This step is similar to what we did for the CA Certificate.
> openssl genrsa -des3 -out server.key 2048

Passphrase: Whatever you want. For example: ‘server’.

  • For generating a Server Certificate Sign Request with the Server Private Key. Now, we don’t create the Server Certificate, we create a Server Certificate Sign Request. This request is the one we should send to some Certificate Authority for signing if we pay for that.
> openssl req -new -key server.key -out server.csr

Passphrase: What you put in the previous step.

Here again openssl asks us some information. The most important one is ‘Common Name’. We have to enter there the IP, or host name. For example: ‘localhost’. Remember that we can complete the rest of the fields or just entering a dot for the default values.

Once we have the Server Certificate Sign Request (server.csr) we should sign this request with the CA Certificate in order to get the Server Certificate Signed by our own CA.

For generating the Server Certificate we have to sign the Server Certificate Sign Request with the CA Certificate.

> openssl x509 -req -in server.csr -CA myOwnCA.pem -CAkey myOwnCA.key -CAcreateserial -out server.crt -days 500 -sha256

Passphrase: CA Certificate passphrase. Following the example it should be: ‘myca’.

Finally, we should create the PKCS12 file with the Server Private and Public Keys. To do that we should run the following commands in a terminal:

  • For joining the Server Private Key and the Server Certificate in the same file.
> cat server.key > server.pem
> cat server.crt >> server.pem
  • For creating the PKCS12 file.
> openssl pkcs12 -export -in server.pem -out server.pkcs12

Passphrase: Server passphrase. In our example: ‘server’.
Export Passphrase: Whatever you want. For example: ‘Server’ again.

Final comments:

Reach this point, we should set the server.pkcs12in the Server as the certificate to use and add the myOwnCA.pem certificate as a trusted one in the client you use. For example a Web Browser.

Reference (List of commands):

1. openssl genrsa -des3 -out myOwnCA.key 2048
2. openssl req -x509 -new -nodes -key myOwnCA.key -sha256 -days 1024 -out myOwnCA.pem
3. openssl genrsa -des3 -out server.key 2048
4. openssl req -new -key server.key -out server.csr
5. openssl x509 -req -in server.csr -CA myOwnCA.pem -CAkey myOwnCA.key -CAcreateserial -out server.crt -days 500 -sha256
6. cat server.key > server.pem
7. cat server.crt >> server.pem
8. openssl pkcs12 -export -in server.pem -out server.pkcs12

Leave a Reply

Your email address will not be published. Required fields are marked *