Home » Wiki » How to Create Self-Signed Certificates and Keys with OpenSSL

How to Create Self-Signed Certificates and Keys with OpenSSL

by | Self-Signed

Create Self-Signed Certificates and Keys with OpenSSL

Step-by-Step Guide Create Self-Signed Certificates and Keys with OpenSSL

Cryptography and digital certificates play a vital role in securing communications over computer networks and the internet. Certificates utilize public-key cryptography to verify identity and enable encrypted connections between a client and server.

While most public-facing sites need commercial certificates from a trusted certificate authority (CA) like Let’s Encrypt or DigiCert, self-signed certificates can be useful for internal systems, testing environments, and personal projects.

This guide will walk through the process of creating self-signed certificates and keys using the open-source OpenSSL toolkit.

How Public-Key Cryptography and Certificates Work

To understand self-signed certificates, we first need to explore how public-key cryptography and digital certificates function.

Public-key cryptography utilizes key pairs – a public key and a private key. Data encrypted with the public key can only be decrypted with the matching private key, and vice versa. This allows secure communication between parties without exchanging private keys.

Certificates use public-key cryptography to associate an identity with a public key. A certificate includes information like:

  • Public key
  • Identity of the certificate holder
  • Issue and expiry dates
  • Name of the issuing certificate authority
  • Digital signature of the issuing authority

This ties an identity to a public key. For example, Amazon’s certificate allows you to verify that you are connecting to Amazon.com’s server by checking the certificate signature.

To generate a certificate, the applicant first creates a private or public key pair. They keep the private key secret.

The applicant then creates a certificate signing request (CSR) containing the public key and identity information. This is sent to a certificate authority (CA).

The CA verifies the applicant’s identity and issues the certificate by cryptographically signing the CSR with the CA’s private key. This validates that the CA issued the certificate.

The applicant can then install this certificate on their systems. Clients can verify the issuer signature to confirm the certificate authenticity and use the public key to communicate securely.

Now let’s see how to generate our own self-signed certificates for internal use.

Generating the CA’s Certificate and Keys

1. Create a Private Key for the Certificate Authority

$ openssl genrsa 2048 > ca-key.pem

2. Create the X509 certificate for the CA

openssl req -new -x509 -nodes -days 365000 \
-key ca-key.pem \
-out ca-cert.pem

Generating the Server’s Certificate and Keys

1. Create the private key and certificate request

openssl req -newkey rsa:2048 -nodes -days 365000 \
-keyout server-key.pem \
-out server-req.pem

2. Create the X509 certificate for the server

openssl x509 -req -days 365000 -set_serial 01 \
-in server-req.pem \
-out server-cert.pem \
-CA ca-cert.pem \
-CAkey ca-key.pem

Generating the Client’s Certificate and Keys

1. Create the private key and certificate request

openssl req -newkey rsa:2048 -nodes -days 365000 \
-keyout client-key.pem \
-out client-req.pem

2. Create the X509 certificate for the client

openssl x509 -req -days 365000 -set_serial 01 \
-in client-req.pem \
-out client-cert.pem \
-CA ca-cert.pem \
-CAkey ca-key.pem

Verifying the Certificates

1. Verify the server certificate

openssl verify -CAfile ca-cert.pem \
ca-cert.pem \
server-cert.pem

2. Verify the client certificate

openssl verify -CAfile ca-cert.pem \
ca-cert.pem \
client-cert.pem

Generating a Private Key and CSR with OpenSSL

We’ll use the open-source OpenSSL toolkit to generate private keys and certificate signing requests on Linux, macOS, or Windows Subsystem for Linux (WSL).

OpenSSL contains the openssl command line tool for creating and managing keys, certificates, and other cryptographic assets.

First, we need to generate a private key. This will create a 2048-bit RSA private key:

openssl genrsa -out private.key 2048

This generates a new private.key file that contains the RSA private key in PEM format (ASCII encoding).

Next, we generate a certificate signing request (CSR) based on this private key:

openssl req -new -key private.key -out cert.csr

This will prompt you for information like country, state, company name, etc. This identity information will go in the certificate. Provide the details for your organization and servers.

The CSR file cert.csr now contains your public key and identity details. In a normal certificate workflow, you would send this CSR to a certificate authority like Let’s Encrypt to sign.

But since we are making a self-signed certificate, we will sign the CSR with our own private key to generate the certificate.

Generating a Self-Signed Certificate

To create a self-signed certificate from your CSR, use the x509 sub-command with the -signkey option to sign the CSR with your private key:

openssl x509 -req -days 365 -in cert.csr -signkey private.key -out cert.crt

This signs the CSR and generates a PEM-formatted self-signed certificate called cert.crt that is valid for 365 days.

Our cert.crt is now a valid certificate containing the public key and identity details from the CSR. Clients can verify the certificate signature against your public key to validate it.

Installing Self-Signed Certificates

To use your self-signed certificate, it needs to be installed on the server where it will be used. The process varies by platform:

Linux

Place the certificate file at /etc/ssl/certs/cert.crt. Update permissions using chmod:

sudo cp cert.crt /etc/ssl/certs/
sudo chmod 644 /etc/ssl/certs/cert.crt

The certificate is now trusted and available to server processes like Apache and Nginx.

Windows

Double-click the .crt file and click “Install Certificate”. Choose “Local Machine” and place it in the “Trusted Root Certification Authorities” store.

macOS

Double-click the .crt to open Keychain Access. Click “Add” to add the certificate to the System keychain and trust it.

Clients

For clients like web browsers, you’ll need to manually install the self-signed certificate as a trusted root certificate. The process varies by browser and OS.

Once installed to the trust store on the server and clients, the self-signed certificate can be used to enable HTTPS and other cryptography like client certificate authentication.

Exploring Certificates with OpenSSL

OpenSSL provides commands for examining certificates and debugging issues.

To view a certificate in text form:

openssl x509 -in cert.crt -text –noout
This displays all the certificate contents including the public key, issuer, validity period, signature, etc.

To check a certificate against a private key to validate they match:

openssl rsa -noout -modulus -in private.key | openssl md5
openssl x509 -noout -modulus -in cert.crt | openssl md5

This shows the MD5 hash of the modulus (public key). If the hashes match, the certificate contains the public key for that private key.

You can also check the signature is valid:

openssl verify -CAfile cert.crt cert.crt

This verifies cert.crt against itself since it is self-signed.

For debugging connections, the s_client tool can connect to a server and print certificate details:

openssl s_client -connect localhost:443 –showcerts

Overall, OpenSSL provides many options for generating keys and certificates and diagnosing issues. The Most Common OpenSSL Commands has further examples.

Revoking and Reissuing Certificates

Self-signed certificates can be useful for internal systems, but there are some downsides:

  • Self-signed certificates do not verify identity, only that you signed the certificate with your private key.
  • The signature is not trusted by default – you need to manually install the certificate.
  • Features like CRLs and OCSP for revoking compromised certificates do not work.
  • Certificates need to be manually reissued before expiry.

For public-facing sites, it is recommended to use commercial certificates from trusted CAs like Let’s Encrypt. These provide automatic issuance, renewal, revocation, and wide trust with all clients.

Let’s Encrypt offers free trusted certificates and integrates with many platforms. See the Let’s Encrypt documentation to get started.

Summary on Create Self-Signed Certificates and Keys with OpenSSL

In conclusion, OpenSSL is a powerful tool for creating self-signed certificates and keys. It allows you to generate SSL/TLS certificates for secure communication, encryption, and authentication purposes. While self-signed certificates are not recommended for public-facing websites due to trust issues, they are useful for testing, development, and internal network environments.

By following the steps outlined, you can create a self-signed root CA, intermediate CAs, and end-entity certificates, enabling you to establish a secure chain of trust. OpenSSL’s command-line interface may seem daunting at first, but with practice, you can leverage its capabilities to meet your security and encryption requirements.