OpenSSL: SSL Certificate X.509

  • Private key > X.509 certificate (self-signed)
  • Private key > X.509 certificate request > X.509 certificate

Root certificate (CA)

Create root certificate private key with password:

To generate private key without password just takeout the -des3 option

# with password
openssl genrsa \
-des3 \
-out rootCA.key 4096

# without password
openssl genrsa -out rootCA.key 4096

Create root certificate public key:

openssl req \
-new \
-x509 \
-sha256 \
-days 1024 \
-key rootCA.key \
-out rootCA.crt
  • openssl req PKCS#10 certificate request and certificate generating utility.
  • -new to create new certificate request, user prompted
  • -x509 skip the certificate request / generate the certificate right away
  • -sha256 sign the certificate with SHA-256
  • -days 1024 this certificate valid for the next 1024 days
  • -key rootCA.key use this private key to sign
  • -out rootCA.key output the signed certificate to this file

Create root private key and X.509 certificate (self-signed) in one go:

openssl req \
-new \
-x509 \
-sha256 \
-days 1024 \
-newkey rsa:4096 \
-nodes \
-keyout rootCA.key \
-out rootCA.crt
  • openssl req PKCS#10 certificate request and certificate generating utility.
  • -new to create new certificate request, user prompted
  • -newkey rsa:4096 generate a new private key with RSA-4096
  • -nodes do not encrypt the private key with password
  • -x509 skip the certificate request / generate the certificate right away
  • -sha256 sign the certificate with SHA-256
  • -days 1024 this certificate valid for the next 1024 days
  • -keyout rootCA2.key output the newly generated private key to this file
  • -out rootCA2.crt output the signed certificate to this file

Server certificate

Create server certificate private key.

openssl genrsa -out server.key 4096

Create server certificate request.

openssl req \
-new \
-key server.key \
-out server.csr

Output certificate request

openssl req -text -noout -in server.csr

Signing

Sign certificate request (server.csr) with root certificate public key (rootCA.crt) and rootCA private key (rootCA.key)

openssl x509 \
-sha256 \
-days 500 \
-req \
-in server.csr \
-CA rootCA.crt \
-CAkey rootCA.key \
-CAcreateserial \
-out server.crt
  • openssl x509 Certificate display and signing command
  • -sha256 sign the certificate request with SHA256
  • -days 500 this certificate valid for the next 500 days
  • -req input file is a certificate request
  • -in server.csr input file; in this case is the certificate request because of the -req flag
  • -CA rootCA.crt signer X.509 certificate
  • -CAkey rootCA.key signer private key
  • -CAcreateserial automatically create serial (To manualy create the serial, replace this with -set_serial n)
  • -out server.crt output the signed certificate to this file

Output certificate

openssl x509 -text -noout -in server.crt

Verify

openssl verify -CAfile rootCA.crt server.crt

Self-sign request certificate

openssl x509 \
-days 365 \
-req \
-in server.csr \
-signkey server.key \
-out server.crt
  • openssl x509 Certificate display and signing command
  • -days 365 this certificate valid for the next 365 days
  • -req input file is a certificate request
  • -in server.csr input file; in this case is the certificate request because of the -req flag
  • -signkey server.key sign with this private key
  • -out server.crt output the signed X.509 certificate to this file

References:


Comments

Leave a Reply

Your email address will not be published. Required fields are marked *