Denis Machard

My technical gists

Infrastructure background, developer mindset. I build things for pleasure.
    @github @mastodon @rss

    Create Self-Signed Certificates with OpenSSL

    This post will describe how to generate Self-Signed Certificates. Remember that these certificates are not suitable for production use and should only be used in development and testing environments.

    Creating the Certificate Authority’s certificate and key

    Generate a private key for the CA (Certificate Authority):

    openssl genrsa 2048 > ca.key
    

    Create ca.conf file

    [ req ]
    prompt                 = no
    distinguished_name     = req_distinguished_name
    
    [ req_distinguished_name ]
    countryName            = FR
    stateOrProvinceName    = Normandie
    localityName           = Caen
    organizationName       = Home
    organizationalUnitName = Lab
    commonName             = ca.home.lab
    emailAddress           = admin@home.lab
    

    Generate the certificate for the CA:

    openssl req -days 365 -new -x509 -nodes -key ca.key -out ca.crt --config ca.conf
    

    Creating the server’s kertificate and key

    Create server.conf file

    [ req ]
    prompt                 = no
    distinguished_name     = req_distinguished_name
    req_extensions         = req_ext
    
    [ req_distinguished_name ]
    countryName            = FR
    stateOrProvinceName    = Normandie
    localityName           = Caen
    organizationName       = Home
    organizationalUnitName = Lab
    commonName             = server.home.lab
    emailAddress           = admin@home.lab
    
    [ req_ext ]
    subjectAltName = DNS: server.home.lab, IP: 127.0.0.1
    

    Generate the private key and CSR (Certificate Signing Request):

    openssl req -newkey rsa:2048 -nodes -keyout server.key -out server.csr --config server.conf
    

    Generate the certificate for the server:

    openssl x509 -req -days 365 -in server.csr -out server.crt -CA ca.crt -CAkey ca.key -extensions req_ext -extfile server.conf
    

    Show certificate

    $ openssl x509 -text -noout -in server.crt
    

    Creating the client’s certificate and key

    Create client.conf file

    [ req ]
    prompt                 = no
    distinguished_name     = req_distinguished_name
    
    [ req_distinguished_name ]
    countryName            = FR
    stateOrProvinceName    = Normandie
    localityName           = Caen
    organizationName       = Home
    organizationalUnitName = Lab
    commonName             = client.home.lab
    emailAddress           = admin@home.lab
    

    Generate the private key and CSR:

    openssl req -newkey rsa:2048 -nodes -keyout client.key -out client.csr --config client.conf
    

    Generate the certificate for the client:

    openssl x509 -req -days 365 -in client.csr -out client.crt -CA ca.crt -CAkey ca.key
    

    Verifying the certificates

    Verify the server certificate:

    openssl verify -CAfile ca.crt server.crt
    server.crt: OK
    

    Verify the client certificate:

    openssl verify -CAfile ca.crt client.crt
    client.crt: OK
    
    propulsed by hugo and hugo-theme-gists