Generate SSL certificates using openssl

Generate SSL certificates using openssl with a Certificate Signing Request

The file ca.key and ca.crt are the Certificate Authority

We will be generating the .key and .csr (Certificate Signing Request) files from the below command.

[root@node01 ssl]# openssl req -new -sha256 -newkey rsa:2048 -nodes -keyout linuxcent.com.key -days 365 -out linuxcent.com.csr -sha256 -subj "/C=IN/ST=TG/L=My Location/O=Company Ltd./OU=IT/CN=linuxcent.com/subjectAltName=DNS.1=linuxcent.com"

The resultant files are a PEM certificate request .csr and a Private .key file. Now that we have successfully generated the .csr, we approach a Certificate Authority, Upload our CSR, and purchase the signer certificates along with Intermediate Chain keys for a given Number of days, typically done for 365 Days.

The -days flag is optional, and can be skipped as we are only generating a Signing Request.

Here we can use the openssl command to verify the .csr file that is generated as shown below:

[root@node01 ssl]# openssl req -in linuxcent.com.csr -noout -text
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=IN, ST=TG, L=MY Location, O=Company Ltd., OU=IT, CN=linuxcent.com/subjectAltName=DNS.1=linuxcent.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:00:e4:b4:24:d7:22:ec:5d:c1:37:8c:d1:a0:62:17:
96:24:77:8d:75:4e:d5:74:15:4d:61:e0:8b:66:d6:
                Exponent: 65537 (0x10001)
        Attributes:
            a0:00
    Signature Algorithm: sha256WithRSAEncryption
         87:ef:83:b2:a6:f5:3a:f3:6f:1c:e4:02:ec:bf:5d:75:64:1d:

- OUTPUT TRUNCATED --

In the next section we shall see How the .csr can be signed by a CA to generate a .crt PEM certificate

Signing a .csr with a Certificate Authority [Demo Purpose] – Sample CA files

Here is the process of Generating a Selfsigned certificate(Not to be used on public facing sites)

Now we will using the root ca.key and ca.crt to digitally sign this .csr and generate a .crt PEM certificate

x509 is a Certificate Data Management and Certificate Signing Utility

This generally takes the private key as input, and signs the certificate requests and Converting the certificate to various formats

[root@node01 ssl]# openssl x509 -req -in linuxcent.com.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out linuxcent.com.crt -days 365 -sha256

-subj "/C=IN/ST=TG/L=My Location/O=Company Ltd./OU=IT/CN=linuxcent.com/subjectAltName=DNS.1=linuxcent.com"

We have generated the .crt file from the .csr

[root@node01 ssl]# ls linuxcent.com.crt linuxcent.com.key 
linuxcent.com.crt linuxcent.com.key

We have successfully generated the linuxcent.com.key file and linuxcent.com.crt, and digitally self signed with the root CA key and certificates.

Generating Self Signed SSL certificates using openssl x509

The x509 is the certificate signing utility we will be using here.\ to generate a PEM certificate

Below is the complete command to generate the ssl self signed certificate.

openssl req -x509 -days 365 -sha1 -newkey rsa:2048 -nodes -keyout linuxcent.com.key -out linuxcent.com.crt -sha256 -subj "/C=IN/ST=State/L=My Location/O=Company Ltd./OU=IT/CN=linuxcent.com/subjectAltName=DNS.1=linuxcent.com"

The Days parameter can be specified to any number of days depending on your requirement

The Self signed certificates are mostly commonly used within the internal network or among small group of familiar individuals like an office for specific purposes and not advised to be used out in the public domain as the browser does not identify the certificate authenticity or the ingenuity of the concerned website. The Self-signed certificates are not validated with any third party until and unless you import them to the browsers previously.

Generating a Wildcard certificate Request.

[root@node01 ssl]# openssl req -new -sha256 -newkey rsa:2048 -nodes -keyout linuxcent.com.key -out linuxcent.com.csr -sha256 -subj "/C=IN/ST=TG/L=My Location/O=Company Ltd./OU=IT/CN=linuxcent.com/subjectAltName=DNS.1=*.linuxcent.com, linuxcent.com"

Mentioning the Alternate Domain as *.linuxcent.com will create a wildcard .CSR

The SANs often seen in shortform to SubjectAltName allows us to secure multiple subdomains using a SSL certificate

The CA signing process of the wildcard is identical and obviously costs more.

Leave a Comment