Denis Machard

My technical gists

Infrastructure architect by profession but always consider himself as a developer and an open source enthusiast.
@github @mastodon @rss
security

Create Self-Signed Certificates with OpenSSL

This post will describe how to generate Self-Signed Certificates. Remember that these certificates are not suitable for production use and should only be used in development and testing environments.

Creating the Certificate Authority’s certificate and key

Generate a private key for the CA (Certificate Authority):

openssl genrsa 2048 > ca.key

Create ca.conf file

[ req ]
prompt                 = no
distinguished_name     = req_distinguished_name

[ req_distinguished_name ]
countryName            = FR
stateOrProvinceName    = Normandie
localityName           = Caen
organizationName       = Home
organizationalUnitName = Lab
commonName             = ca.home.lab
emailAddress           = admin@home.lab

Generate the certificate for the CA:

openssl req -days 365 -new -x509 -nodes -key ca.key -out ca.crt --config ca.conf

Creating the server’s kertificate and key

Create server.conf file

[ req ]
prompt                 = no
distinguished_name     = req_distinguished_name
req_extensions         = req_ext

[ req_distinguished_name ]
countryName            = FR
stateOrProvinceName    = Normandie
localityName           = Caen
organizationName       = Home
organizationalUnitName = Lab
commonName             = server.home.lab
emailAddress           = admin@home.lab

[ req_ext ]
subjectAltName = DNS: server.home.lab, IP: 127.0.0.1

Generate the private key and CSR (Certificate Signing Request):

openssl req -newkey rsa:2048 -nodes -keyout server.key -out server.csr --config server.conf

Generate the certificate for the server:

openssl x509 -req -days 365 -in server.csr -out server.crt -CA ca.crt -CAkey ca.key -extensions req_ext -extfile server.conf

Show certificate

$ openssl x509 -text -noout -in server.crt

Creating the client’s certificate and key

Create client.conf file

[ req ]
prompt                 = no
distinguished_name     = req_distinguished_name

[ req_distinguished_name ]
countryName            = FR
stateOrProvinceName    = Normandie
localityName           = Caen
organizationName       = Home
organizationalUnitName = Lab
commonName             = client.home.lab
emailAddress           = admin@home.lab

Generate the private key and CSR:

openssl req -newkey rsa:2048 -nodes -keyout client.key -out client.csr --config client.conf

Generate the certificate for the client:

openssl x509 -req -days 365 -in client.csr -out client.crt -CA ca.crt -CAkey ca.key

Verifying the certificates

Verify the server certificate:

openssl verify -CAfile ca.crt server.crt
server.crt: OK

Verify the client certificate:

openssl verify -CAfile ca.crt client.crt
client.crt: OK
propulsed by hugo and hugo-theme-gists