In an earlier post, I discussed how makecert.exe tool in Windows OS can be used to create self-signed certificates.
We’ll now check how the popular openssl tool can be used to create these self-signed certificates. One major advantage of this tool is that it is available on all platforms Windows, Linux and OSX.
For the sake of this post, we’ll use the same scenario as in the earlier post, whereby we will generate server/client certificates which is signed by a Root Certificate Authority. Also, we’ll use WSL (Windows Subsystem for Linux) on Windows 10 (specifically ubuntu 18.04) to create these certificates.
We’ll go about this using following steps
- Preparing the directory structure
- Creating a custom Root Certificate
- Creating a server certificate signed by the Root CA
- Packaging the certificate
- Deploying the certificate
Preparing the directory
Here is how I suggest you create the directory structure.
Choose a directory
/home/<user>/mycerts/ca to store all keys and certificates.
You may create it as follows…
ca directory create the following set of directories.
serial files act as a flat file database to keep track of signed certificates.
Unlike the makecert.exe that Windows OS provides, openssl does not provide an option to specify all the attributes via command line. It uses a different approach, the one where you create a separate configuration file and provide this configuration file as an input to the openssl tool.
You may download this configuration file
openssl.cnf from my github repository here.
Place this file under the
Once done, your directory structure would look like …
openssl.cnf file and update the root directory path based of your own user home directory path.
With this, our initial directory structure is ready and we can proceed to the next step of creating the Root CA.
Creating a custom Root Certificate
This can be created in 3 steps.
1. Create the root key
When prompted for a passphrase provide the same.
The root key is now stored in the
private directory in the file
Use 4096 bits for all root certificates. You’ll still be able to sign server and client certificates of a shorter length.
2. Create the root certificate
We can now create the root certificate
ca.cert.pem using the root key
ca.key.pem and openssl configuration file
The Root CA validity can be of a longer duration (10 years in this case). Once the root certificate expires, all certificates signed by the CA become invalid.
When the command is executed, it will ask you for a passphrase and then prod you to specify various details to be incorporated in your certificate request.
With this our Root CA certificate is now created.
Creating a server certificate signed by the Root CA
This can be performed in 3 steps…
1. Create a key for the server certificate
Server and client certificates normally expire after one year, so we can safely use 2048 bits instead of 4096 bits used in Root certificates.
2. Create a Certificate Signing Request (CSR)
We will now use the private key created (
www.funsoft.com.key.pem), to create a certificate signing request (CSR).
As shown above, provide the certificate details when it prods for it. The Certificate Signing Request (CSR) -
www.funsoft.com.csr.pem is generated under the
For server certificates, the
Common Name must be a fully qualified domain name (eg, www.funsoft.com), whereas for client certificates it can be any unique identifier (eg, an e-mail address).
3. Create server certificate signed by Root CA
We will now use the Root CA created earlier
ca.cert.pem to sign the CSR
www.funsoft.com.csr.pem and generate the server certificate
When it prods you for passphrase, provide the same. Provide the input
y when it asks you to sign the certificate and
y again when it asks you to commit the certified requests.
You’ll find the certificate
www.funsoft.com.cert.pem created under the
If the certificate is going to be used on a server, use the
server_cert extension. If the certificate is going to be used for user authentication (client certificate), use the
Packaging the certificate
Now that we have the certificate created, we need to package it appropriately so that it can be deployed easily.
There are many different formats available to package certificates. One of the popular ones is
As can be seen in the command above we are packaging the server certificate, its private key and the Root CA used to sign this certificate in a
Provide a password, when prodded for it. Later on, while deploying this certificate, you would have to provide this password.
Deploying the certificate
Now that the
www.funsoft.com.pfx file is generated, you can double-click on it and follow the wizard to import the Server and Root CA certificates in appropriate stores on Windows OS.
When it asks you to specify a store to store the certificate, choose the
Automatically select the certificate store based on the type of certificate option.
Once the certificate is imported successfully, you’ll find the server certificate with private key installed in the
Personal store, while the Root CA imported in the
Trusted Root Certification Authorities store.
The server certificate is now available for use with your website.
Hope this was useful!!