Wednesday, 8 February 2023

Create a self-signed certificate using OpenSSL

In this post, I am going to explain how to create a self-signed certificate using OpenSSL.

 

1. Create a private key

Open terminal and execute below command.

openssl genrsa -des3 -out myDomain.key 2048

 Remove the -des3 option from the command, if you do not want the private key to be encrypted.

 

$openssl genrsa -des3 -out myDomain.key 2048
Generating RSA private key, 2048 bit long modulus
................+++
.............................+++
e is 65537 (0x10001)
Enter pass phrase for myDomain.key:
Verifying - Enter pass phrase for myDomain.key:

 

I set the password as ‘password123’. Upon successful execution of the command, you can see a file ‘myDomain.key’.

$ls
myDomain.key

 

You can see the content of myDomain.key using cat command.

$cat myDomain.key 
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,9F0FF2109392340E

yySOZ9KoyDUBF1ecjKdeo9kU3veXhF5W9wG2jsMkRFk0S/Y06OaUkoDNH3TlpNzW
iT2m+05CdyNabJMyk44Th1rrzxYVCmvIkWn/JakdMsomlEydVAZOwnx32uccFYma
fNl5HdnWPFDLC0YdEFNt0LxO5sA15wAkfa+XcD/zVNdMxpvB8v8RHYbVJqJD4hNl
4bvLyQJGpbUNvT5ppAap5waoUXrX6D3ApQaJARD1WcRpalKQ9wCavbSemeccRhGJ
1eJH8KzjWw0c5TWDyNrDhPOGZK7LP9vLZ/gFRkPV05Jhc7yU6+vfmIyLQDwG24i/
4EAFVrDxkd6k7AsXLEbOP9xc+ESEDXy4joov2G2DZ1xtEev5fBAssACt4dOG5WHU
Kabs+WycLqre5A5tidj5XWNFiEsQFJkAZxkM/oSc4i7URcpizN9rOnaJY48IiQyI
SLV5l9Pg163X7PTMQjdx3fnZEdioLovUJ57Uzo4PwcMi1ukauC75750gO5ClKSLe
wi0erOQmIWzJNb+M4vSxQuvd8iEQh3896omN1bf5MvhXqJLEzPKdDR8Re7wRjKs1
g1JJLKT+KFxXKTm13+VykuBoAk/oIJYCuUnSCnqTqtf1YPlU3YQ1NeDgk5vCmu+Q
ovu/4EF1NH5PuHdA1/6zyKQXvR+vlvaXyB0zC5optntVjBwFt39dsqYb0rd+iaws
rNC/s5o3OV/Fm/FlQbjvR4ruXSELg7TBW9oxD93R5iR82xuy3Q3NCOPQMUls9CvC
JipdDzwLc5VHcYFhWUb92Tmez7XiLy8/05ywPCJuAchI/tr77Idqmu/Xjj84Rk5K
BLpvZuLACUv4q5j+YUtkMsqJIQBIxut4wpZHRrLiSZKnbY1wUJFV/KnQKRoe3nYf
toKCMZ4UTH3fbW693iJZ6iA2Z5YsIK6+b4nBH+UKFRe/Duix6CVnjW7DqC1i7INx
Rvf/DlRxECtHMDQQr6qzylbbAWnJiFFZ/Cj9Z1VaBkufj4ki32XXvZMyaBjq01WG
yyYIixq3bnwYiOY/fm9q7Quwy5nRvl5NLdpPgzRb7wlm+Uu0JvPH86a3hf66+WWJ
GmWj8j9p93HHFKCRpj4B+Yk85DYh44kY/E5wKR2+dkrAOUQr/9JmNiWej10AYluK
1rRwzYHv3MvJRAxniuG0fCKJS+uAYRcjabsmdGUaWaUkQb3rtxogrJAHiebTa0Cf
e+EHOdKQDRDWdXZYoEJeAsnMqNfH9Dcy2VCnddBy7US4iourDvqOwUttfP3LEowL
PjWGOzhQnDS5GK3IfRupnSTynry3HNql+80gT7ksBWOwinRWHBk75DZhzN+PDv8V
zqQVoisBv2r7nKeLGq5Ez6R3d2jV99OxflXwVnACOl+eD+u0aLunngoK53KlLju0
/8TtjRNixD8AI5ZhyaTvXu6gT1eFqIxldT6lmQ16ZK1MqlyxyKXEinJmsPRewt1Z
uRyUS0SA2WkxMqatF3J+xXDG9LT0hzDWzVGJA4vFgaaRlEpai5rgqHii576ZVbQw
ewk4MW8ju1r5OHCOWEoSzD2GZaHoYDyyOKa7t+FoerrzShGv0WxEGm5VYCouQ4JA
-----END RSA PRIVATE KEY-----

 

2. Create a certificate signing request.

Open terminal and execute below command.

openssl req -key myDomain.key -new -out myDomain.csr

 .csr file is needed to sign the certificate.

 

$openssl req -key myDomain.key -new -out myDomain.csr
Enter pass phrase for myDomain.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []:IN
State or Province Name (full name) []:Karnataka
Locality Name (eg, city) []:Bangalore
Organization Name (eg, company) []:abcCorp
Organizational Unit Name (eg, section) []:hr
Common Name (eg, fully qualified host name) []:sample-app.com
Email Address []:demo@demo.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:password456

 

Now we have two files with us.

$ls
myDomain.csr	myDomain.key

 

I set the password for .csr file as password456.

 

3. Create a self-signed certificate

 

Open terminal and execute below command.

openssl x509 -signkey myDomain.key -in myDomain.csr -req -days 365 -out myDomain.crt

$openssl x509 -signkey myDomain.key -in myDomain.csr -req -days 365 -out myDomain.crt
Signature ok
subject=/C=IN/ST=Karnataka/L=Bangalore/O=abcCorp/OU=hr/CN=sample-app.com/emailAddress=demo@demo.com
Getting Private key
Enter pass phrase for myDomain.key:

 

Upon successful execution of the command, you can see a .crt file.

$ls
myDomain.crt	myDomain.csr	myDomain.key

 

4. View the certificate

Open terminal and execute below command.


openssl x509 -text -noout -in myDomain.crt

$openssl x509 -text -noout -in myDomain.crt
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number: 18372991616756040757 (0xfef9fa87f9f94435)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=IN, ST=Karnataka, L=Bangalore, O=abcCorp, OU=hr, CN=sample-app.com/emailAddress=demo@demo.com
        Validity
            Not Before: Feb  8 04:56:36 2023 GMT
            Not After : Feb  8 04:56:36 2024 GMT
        Subject: C=IN, ST=Karnataka, L=Bangalore, O=abcCorp, OU=hr, CN=sample-app.com/emailAddress=demo@demo.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:be:0c:3d:78:01:1f:28:0b:5c:fc:26:3d:84:52:
                    de:cd:35:34:c7:55:ac:bc:57:ce:00:79:0c:63:a9:
                    fe:52:50:b0:cd:a3:8d:bc:4f:c8:77:35:a4:0d:c0:
                    e7:e9:bd:59:4f:cc:f6:e5:9f:9c:a2:b7:f4:82:49:
                    ce:59:1d:76:f6:8a:37:5e:77:17:03:78:18:10:9f:
                    d8:e3:5e:da:06:64:0c:f3:8e:3d:2c:df:a8:0c:57:
                    0f:21:58:94:4b:9c:db:ac:0b:4b:df:a7:b5:11:09:
                    ce:2a:bc:65:83:dd:ea:e4:b6:6e:21:87:c2:17:0e:
                    08:20:a4:ea:c7:35:70:1d:1b:53:6d:7d:4b:2a:ee:
                    ee:18:b3:a6:54:7d:55:89:d1:07:78:3c:f2:99:0e:
                    91:b0:a5:f1:66:d3:b9:b9:3f:11:09:ec:36:88:31:
                    7c:09:6b:3b:5d:57:fb:9b:f8:36:3e:47:9a:b3:62:
                    5b:4c:49:f3:68:19:c8:dd:2f:ec:d6:a2:e0:a1:eb:
                    9a:cd:24:2f:a2:61:9b:a1:f5:ca:7f:ad:bf:8d:d7:
                    a2:e7:f8:7f:26:76:de:59:f4:7f:ec:5f:fd:34:21:
                    fb:6f:0a:d1:8d:cb:10:8a:e3:6b:7e:88:5d:03:2a:
                    21:53:e2:dc:41:f3:83:40:fc:7b:e4:36:d4:42:b4:
                    9a:6d
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha1WithRSAEncryption
         0e:f3:a6:f8:60:ea:0c:66:89:e1:05:c2:a3:92:a5:da:14:b6:
         3d:5b:fd:4a:e6:3a:ae:d5:8a:89:7f:3c:56:6b:48:7e:04:59:
         01:e6:20:e6:46:4e:5f:90:41:fc:2f:89:90:63:80:90:b3:8b:
         34:4a:1b:ee:02:40:1b:e9:29:36:4e:03:50:ba:85:87:71:92:
         19:15:7d:d6:76:7c:00:09:6a:1c:fe:16:e7:b1:cd:04:7b:14:
         ec:4f:7f:be:51:8b:18:a8:b1:cf:3b:fe:6f:75:39:5a:6e:fc:
         ab:09:b5:48:92:e3:87:04:c0:67:e0:cf:b2:d4:b2:1e:af:51:
         81:d0:9c:82:06:0a:ed:a5:d1:bc:ae:50:15:3a:e0:a9:d7:d6:
         fa:6e:0c:ac:26:43:62:08:9f:36:c0:35:0d:02:14:83:5c:b6:
         07:33:93:ad:c5:69:a7:72:3d:b5:33:51:eb:b1:cb:77:ea:c4:
         c8:1e:20:1f:76:42:a5:b9:df:ac:86:45:50:0e:1a:a6:74:69:
         18:0b:a2:e6:26:e3:77:a0:2e:74:0c:9d:06:9c:1c:d5:f1:57:
         07:dc:fe:54:1f:a0:64:71:d6:df:6d:e3:af:87:bb:82:9a:20:
         da:a7:3d:88:28:fe:6c:b9:5c:e0:09:67:ef:7c:77:e1:47:8d:
         84:f4:6d:81
$

 

5. Convert the .crt file to .der

The file generated in step 3 is in .pem encoding form. Open terminal and execute below command to get the certificate in .der form.

 

openssl x509 -in myDomain.crt -outform der -out myDomain.der

$openssl x509 -in myDomain.crt -outform der -out myDomain.der
$
$ls
myDomain.crt	myDomain.csr	myDomain.der	myDomain.key

6. Convert the .crt file to .pkcs12

Open terminal and execute below command.


openssl pkcs12 -inkey myDomain.key -in myDomain.crt -export -out myDomain.pfx

$openssl pkcs12 -inkey myDomain.key -in myDomain.crt -export -out myDomain.pfx
Enter pass phrase for myDomain.key:
Enter Export Password:
Verifying - Enter Export Password:
$
$ls
myDomain.crt	myDomain.csr	myDomain.der	myDomain.key	myDomain.pfx

Generate private key and self-signed certificate with one command

Open terminal and execute below command.

openssl req -newkey rsa:2048 -keyout myDomain2.key -x509 -days 365 -out myDomain2.crt

$openssl req -newkey rsa:2048 -keyout myDomain2.key -x509 -days 365 -out myDomain2.crt
Generating a 2048 bit RSA private key
....................+++
.................+++
writing new private key to 'myDomain2.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []:IN
State or Province Name (full name) []:Karnataka
Locality Name (eg, city) []:Bangaore
Organization Name (eg, company) []:hr
Organizational Unit Name (eg, section) []:hr
Common Name (eg, fully qualified host name) []:demo@demo.com
Email Address []:demo@demo.com
$
$
$
$
$ls myDomain2*
myDomain2.crt   myDomain2.key


 

Previous                                                 Next                                                 Home

No comments:

Post a Comment