In this post, I am going to explain how to create a self-signed certificate using OpenSSL.
1. Create a private key
Open terminal and execute below command.
openssl genrsa -des3 -out myDomain.key 2048
Remove the -des3 option from the command, if you do not want the private key to be encrypted.
$openssl genrsa -des3 -out myDomain.key 2048
Generating RSA private key, 2048 bit long modulus
................+++
.............................+++
e is 65537 (0x10001)
Enter pass phrase for myDomain.key:
Verifying - Enter pass phrase for myDomain.key:
I set the password as ‘password123’. Upon successful execution of the command, you can see a file ‘myDomain.key’.
$ls
myDomain.key
You can see the content of myDomain.key using cat command.
$cat myDomain.key
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,9F0FF2109392340E
yySOZ9KoyDUBF1ecjKdeo9kU3veXhF5W9wG2jsMkRFk0S/Y06OaUkoDNH3TlpNzW
iT2m+05CdyNabJMyk44Th1rrzxYVCmvIkWn/JakdMsomlEydVAZOwnx32uccFYma
fNl5HdnWPFDLC0YdEFNt0LxO5sA15wAkfa+XcD/zVNdMxpvB8v8RHYbVJqJD4hNl
4bvLyQJGpbUNvT5ppAap5waoUXrX6D3ApQaJARD1WcRpalKQ9wCavbSemeccRhGJ
1eJH8KzjWw0c5TWDyNrDhPOGZK7LP9vLZ/gFRkPV05Jhc7yU6+vfmIyLQDwG24i/
4EAFVrDxkd6k7AsXLEbOP9xc+ESEDXy4joov2G2DZ1xtEev5fBAssACt4dOG5WHU
Kabs+WycLqre5A5tidj5XWNFiEsQFJkAZxkM/oSc4i7URcpizN9rOnaJY48IiQyI
SLV5l9Pg163X7PTMQjdx3fnZEdioLovUJ57Uzo4PwcMi1ukauC75750gO5ClKSLe
wi0erOQmIWzJNb+M4vSxQuvd8iEQh3896omN1bf5MvhXqJLEzPKdDR8Re7wRjKs1
g1JJLKT+KFxXKTm13+VykuBoAk/oIJYCuUnSCnqTqtf1YPlU3YQ1NeDgk5vCmu+Q
ovu/4EF1NH5PuHdA1/6zyKQXvR+vlvaXyB0zC5optntVjBwFt39dsqYb0rd+iaws
rNC/s5o3OV/Fm/FlQbjvR4ruXSELg7TBW9oxD93R5iR82xuy3Q3NCOPQMUls9CvC
JipdDzwLc5VHcYFhWUb92Tmez7XiLy8/05ywPCJuAchI/tr77Idqmu/Xjj84Rk5K
BLpvZuLACUv4q5j+YUtkMsqJIQBIxut4wpZHRrLiSZKnbY1wUJFV/KnQKRoe3nYf
toKCMZ4UTH3fbW693iJZ6iA2Z5YsIK6+b4nBH+UKFRe/Duix6CVnjW7DqC1i7INx
Rvf/DlRxECtHMDQQr6qzylbbAWnJiFFZ/Cj9Z1VaBkufj4ki32XXvZMyaBjq01WG
yyYIixq3bnwYiOY/fm9q7Quwy5nRvl5NLdpPgzRb7wlm+Uu0JvPH86a3hf66+WWJ
GmWj8j9p93HHFKCRpj4B+Yk85DYh44kY/E5wKR2+dkrAOUQr/9JmNiWej10AYluK
1rRwzYHv3MvJRAxniuG0fCKJS+uAYRcjabsmdGUaWaUkQb3rtxogrJAHiebTa0Cf
e+EHOdKQDRDWdXZYoEJeAsnMqNfH9Dcy2VCnddBy7US4iourDvqOwUttfP3LEowL
PjWGOzhQnDS5GK3IfRupnSTynry3HNql+80gT7ksBWOwinRWHBk75DZhzN+PDv8V
zqQVoisBv2r7nKeLGq5Ez6R3d2jV99OxflXwVnACOl+eD+u0aLunngoK53KlLju0
/8TtjRNixD8AI5ZhyaTvXu6gT1eFqIxldT6lmQ16ZK1MqlyxyKXEinJmsPRewt1Z
uRyUS0SA2WkxMqatF3J+xXDG9LT0hzDWzVGJA4vFgaaRlEpai5rgqHii576ZVbQw
ewk4MW8ju1r5OHCOWEoSzD2GZaHoYDyyOKa7t+FoerrzShGv0WxEGm5VYCouQ4JA
-----END RSA PRIVATE KEY-----
2. Create a certificate signing request.
Open terminal and execute below command.
openssl req -key myDomain.key -new -out myDomain.csr
.csr file is needed to sign the certificate.
$openssl req -key myDomain.key -new -out myDomain.csr
Enter pass phrase for myDomain.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []:IN
State or Province Name (full name) []:Karnataka
Locality Name (eg, city) []:Bangalore
Organization Name (eg, company) []:abcCorp
Organizational Unit Name (eg, section) []:hr
Common Name (eg, fully qualified host name) []:sample-app.com
Email Address []:demo@demo.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:password456
Now we have two files with us.
$ls
myDomain.csr myDomain.key
I set the password for .csr file as password456.
3. Create a self-signed certificate
Open terminal and execute below command.
openssl x509 -signkey myDomain.key -in myDomain.csr -req -days 365 -out myDomain.crt
$openssl x509 -signkey myDomain.key -in myDomain.csr -req -days 365 -out myDomain.crt
Signature ok
subject=/C=IN/ST=Karnataka/L=Bangalore/O=abcCorp/OU=hr/CN=sample-app.com/emailAddress=demo@demo.com
Getting Private key
Enter pass phrase for myDomain.key:
Upon successful execution of the command, you can see a .crt file.
$ls
myDomain.crt myDomain.csr myDomain.key
4. View the certificate
Open terminal and execute below command.
openssl x509 -text -noout -in myDomain.crt
$openssl x509 -text -noout -in myDomain.crt
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 18372991616756040757 (0xfef9fa87f9f94435)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=IN, ST=Karnataka, L=Bangalore, O=abcCorp, OU=hr, CN=sample-app.com/emailAddress=demo@demo.com
Validity
Not Before: Feb 8 04:56:36 2023 GMT
Not After : Feb 8 04:56:36 2024 GMT
Subject: C=IN, ST=Karnataka, L=Bangalore, O=abcCorp, OU=hr, CN=sample-app.com/emailAddress=demo@demo.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:be:0c:3d:78:01:1f:28:0b:5c:fc:26:3d:84:52:
de:cd:35:34:c7:55:ac:bc:57:ce:00:79:0c:63:a9:
fe:52:50:b0:cd:a3:8d:bc:4f:c8:77:35:a4:0d:c0:
e7:e9:bd:59:4f:cc:f6:e5:9f:9c:a2:b7:f4:82:49:
ce:59:1d:76:f6:8a:37:5e:77:17:03:78:18:10:9f:
d8:e3:5e:da:06:64:0c:f3:8e:3d:2c:df:a8:0c:57:
0f:21:58:94:4b:9c:db:ac:0b:4b:df:a7:b5:11:09:
ce:2a:bc:65:83:dd:ea:e4:b6:6e:21:87:c2:17:0e:
08:20:a4:ea:c7:35:70:1d:1b:53:6d:7d:4b:2a:ee:
ee:18:b3:a6:54:7d:55:89:d1:07:78:3c:f2:99:0e:
91:b0:a5:f1:66:d3:b9:b9:3f:11:09:ec:36:88:31:
7c:09:6b:3b:5d:57:fb:9b:f8:36:3e:47:9a:b3:62:
5b:4c:49:f3:68:19:c8:dd:2f:ec:d6:a2:e0:a1:eb:
9a:cd:24:2f:a2:61:9b:a1:f5:ca:7f:ad:bf:8d:d7:
a2:e7:f8:7f:26:76:de:59:f4:7f:ec:5f:fd:34:21:
fb:6f:0a:d1:8d:cb:10:8a:e3:6b:7e:88:5d:03:2a:
21:53:e2:dc:41:f3:83:40:fc:7b:e4:36:d4:42:b4:
9a:6d
Exponent: 65537 (0x10001)
Signature Algorithm: sha1WithRSAEncryption
0e:f3:a6:f8:60:ea:0c:66:89:e1:05:c2:a3:92:a5:da:14:b6:
3d:5b:fd:4a:e6:3a:ae:d5:8a:89:7f:3c:56:6b:48:7e:04:59:
01:e6:20:e6:46:4e:5f:90:41:fc:2f:89:90:63:80:90:b3:8b:
34:4a:1b:ee:02:40:1b:e9:29:36:4e:03:50:ba:85:87:71:92:
19:15:7d:d6:76:7c:00:09:6a:1c:fe:16:e7:b1:cd:04:7b:14:
ec:4f:7f:be:51:8b:18:a8:b1:cf:3b:fe:6f:75:39:5a:6e:fc:
ab:09:b5:48:92:e3:87:04:c0:67:e0:cf:b2:d4:b2:1e:af:51:
81:d0:9c:82:06:0a:ed:a5:d1:bc:ae:50:15:3a:e0:a9:d7:d6:
fa:6e:0c:ac:26:43:62:08:9f:36:c0:35:0d:02:14:83:5c:b6:
07:33:93:ad:c5:69:a7:72:3d:b5:33:51:eb:b1:cb:77:ea:c4:
c8:1e:20:1f:76:42:a5:b9:df:ac:86:45:50:0e:1a:a6:74:69:
18:0b:a2:e6:26:e3:77:a0:2e:74:0c:9d:06:9c:1c:d5:f1:57:
07:dc:fe:54:1f:a0:64:71:d6:df:6d:e3:af:87:bb:82:9a:20:
da:a7:3d:88:28:fe:6c:b9:5c:e0:09:67:ef:7c:77:e1:47:8d:
84:f4:6d:81
$
5. Convert the .crt file to .der
The file generated in step 3 is in .pem encoding form. Open terminal and execute below command to get the certificate in .der form.
openssl x509 -in myDomain.crt -outform der -out myDomain.der
$openssl x509 -in myDomain.crt -outform der -out myDomain.der
$
$ls
myDomain.crt myDomain.csr myDomain.der myDomain.key
6. Convert the .crt file to .pkcs12
Open terminal and execute below command.
openssl pkcs12 -inkey myDomain.key -in myDomain.crt -export -out myDomain.pfx
$openssl pkcs12 -inkey myDomain.key -in myDomain.crt -export -out myDomain.pfx
Enter pass phrase for myDomain.key:
Enter Export Password:
Verifying - Enter Export Password:
$
$ls
myDomain.crt myDomain.csr myDomain.der myDomain.key myDomain.pfx
Generate private key and self-signed certificate with one command
Open terminal and execute below command.
openssl req -newkey rsa:2048 -keyout myDomain2.key -x509 -days 365 -out myDomain2.crt
$openssl req -newkey rsa:2048 -keyout myDomain2.key -x509 -days 365 -out myDomain2.crt
Generating a 2048 bit RSA private key
....................+++
.................+++
writing new private key to 'myDomain2.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []:IN
State or Province Name (full name) []:Karnataka
Locality Name (eg, city) []:Bangaore
Organization Name (eg, company) []:hr
Organizational Unit Name (eg, section) []:hr
Common Name (eg, fully qualified host name) []:demo@demo.com
Email Address []:demo@demo.com
$
$
$
$
$ls myDomain2*
myDomain2.crt myDomain2.key
No comments:
Post a Comment