Generate SSL certificates using openssl with a Certificate Signing Request
The file ca.key
and ca.crt
are the Certificate Authority
We will be generating the .key
and .csr
(Certificate Signing Request) files from the below command.
[root@node01 ssl]# openssl req -new -sha256 -newkey rsa:2048 -nodes -keyout linuxcent.com.key -days 365 -out linuxcent.com.csr -sha256 -subj "/C=IN/ST=TG/L=My Location/O=Company Ltd./OU=IT/CN=linuxcent.com/subjectAltName=DNS.1=linuxcent.com"
The resultant files are a PEM certificate request .csr
and a Private .key
file. Now that we have successfully generated the .csr, we approach a Certificate Authority, Upload our CSR, and purchase the signer certificates along with Intermediate Chain keys for a given Number of days, typically done for 365 Days.
The -days
flag is optional, and can be skipped as we are only generating a Signing Request.
Here we can use the openssl command to verify the .csr
file that is generated as shown below:
[root@node01 ssl]# openssl req -in linuxcent.com.csr -noout -text Certificate Request: Data: Version: 0 (0x0) Subject: C=IN, ST=TG, L=MY Location, O=Company Ltd., OU=IT, CN=linuxcent.com/subjectAltName=DNS.1=linuxcent.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus:00:e4:b4:24:d7:22:ec:5d:c1:37:8c:d1:a0:62:17: 96:24:77:8d:75:4e:d5:74:15:4d:61:e0:8b:66:d6: Exponent: 65537 (0x10001) Attributes: a0:00 Signature Algorithm: sha256WithRSAEncryption 87:ef:83:b2:a6:f5:3a:f3:6f:1c:e4:02:ec:bf:5d:75:64:1d: - OUTPUT TRUNCATED --
In the next section we shall see How the .csr
can be signed by a CA to generate a .crt
PEM certificate
Signing a .csr with a Certificate Authority [Demo Purpose] – Sample CA files
Here is the process of Generating a Selfsigned certificate(Not to be used on public facing sites)
Now we will using the root ca.key
and ca.crt
to digitally sign this .csr
and generate a .crt
PEM certificate
x509 is a Certificate Data Management and Certificate Signing Utility
This generally takes the private key as input, and signs the certificate requests and Converting the certificate to various formats
[root@node01 ssl]# openssl x509 -req -in linuxcent.com.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out linuxcent.com.crt -days 365 -sha256 -subj "/C=IN/ST=TG/L=My Location/O=Company Ltd./OU=IT/CN=linuxcent.com/subjectAltName=DNS.1=linuxcent.com"
We have generated the .crt
file from the .csr
[root@node01 ssl]# ls linuxcent.com.crt linuxcent.com.key linuxcent.com.crt linuxcent.com.key
We have successfully generated the linuxcent.com.key
file and linuxcent.com.crt
, and digitally self signed with the root CA key and certificates.
Generating Self Signed SSL certificates using openssl x509
The x509 is the certificate signing utility we will be using here.\ to generate a PEM certificate
Below is the complete command to generate the ssl self signed certificate.
openssl req -x509 -days 365 -sha1 -newkey rsa:2048 -nodes -keyout linuxcent.com.key -out linuxcent.com.crt -sha256 -subj "/C=IN/ST=State/L=My Location/O=Company Ltd./OU=IT/CN=linuxcent.com/subjectAltName=DNS.1=linuxcent.com"
The Days parameter can be specified to any number of days depending on your requirement
The Self signed certificates are mostly commonly used within the internal network or among small group of familiar individuals like an office for specific purposes and not advised to be used out in the public domain as the browser does not identify the certificate authenticity or the ingenuity of the concerned website. The Self-signed certificates are not validated with any third party until and unless you import them to the browsers previously.
Generating a Wildcard certificate Request.
[root@node01 ssl]# openssl req -new -sha256 -newkey rsa:2048 -nodes -keyout linuxcent.com.key -out linuxcent.com.csr -sha256 -subj "/C=IN/ST=TG/L=My Location/O=Company Ltd./OU=IT/CN=linuxcent.com/subjectAltName=DNS.1=*.linuxcent.com, linuxcent.com"
Mentioning the Alternate Domain as *.linuxcent.com will create a wildcard .CSR
The SANs often seen in shortform to SubjectAltName allows us to secure multiple subdomains using a SSL certificate
The CA signing process of the wildcard is identical and obviously costs more.