PhenixID

PSD1052 – Creating Self-Signed Certificates Using OpenSSL

Fact

OpenSSL (www.openssl.org)

Situation

This document describes using the OpenSSL command-line tool:

  • How to generate a key pair
  • How to create a self-signed certificate

Solution

The general process used when creating a key pair and a certificate is as follows:

  1. Generate a key pair (a public and a private key).
  2. Generate a certificate request (with the public key included).
  3. Create a self-signed certificate based on the certificate request.
  4. Optionally, the private key and the certificate are packaged together as a PKCS#12 file.
  5. Optionally, remove the pass phrase from the private key.

The following guide uses specific values for key lengths, key algorithms, certificate validity lengths etc. The values used may not be appropriate in all situations and should be chosen with the target environment requirements in mind. Also note that keys and certificates may come in different formats and encodings. The resulting key and certificate may need to be converted, depending on the software they are aimed for.

1. Generate a Key Pair

To generate the key pair, execute the following command:

openssl genrsa -des3 -out my.key 2048

When prompted for, enter a pass phrase for the key.
The command will generate the file my.key, which includes the key pair.

2. Generate a Certificate Request

Now generate a certificate request using the command:

openssl req -new -key my.key -out my.csr

OpenSSL will now prompt for information to put into the certificate request. Consider the following:
If the certificate is intended to serve as an SSL server certificate, it is crucial that Common Name is set to the DNS name of the server, e.g. “www.example.org”.
OpenSSL will also prompt for the pass phrase set for the private key as set in the previous step.
The command will generate the file my.csr, which includes the certificate request.

3. Create a Self-Signed Certificate

Now generate a self-signed certificate using the command:

openssl x509 -req -days 365 -in my.csr -signkey my.key -out my.crt

The command will generate the file my.crt including the certificate.

Now the private key (my.key) and the certificate (my.crt) can be used in combination, but as separate files, if the target software supports it. If the target software requires a PKCS#12 file, continue with the next step.

4. Create a PKCS#12 File (Optional)

To create a PKCS#12 file, issue the command:

openssl pkcs12 -export -in my.crt -inkey my.key -out my.p12

OpenSSL will first prompt for the pass phrase for the private key created before. Then OpenSSL will prompt for the pass phrase to protect the resulting PKCS#12 file.
The command will generate the file my.p12, which includes both the private key, protected with the given pass phrase, and the certificate.

5. Remove the Private Key Pass Phrase (Optional)

In some circumstances it is not practical to have the private key protected with a pass phrase. For example, a web server might be required to prompt for the pass phrase every time it is started. To avoid those situations, the pass phrase of the private key may be removed using the following command:

openssl rsa -in my.key -out my.key

OpenSSL will prompt for the pass phrase previously set for the private key.


DISCLAIMER
Information provided in this document is for your information only. PhenixID makes no explicit or implied claims to the validity of this information. Any trademarks referenced in this document are the property of their respective owners.

The origin of this information may be internal or external to PhenixID. PhenixID makes all reasonable efforts to verify this information.

PhenixID - support.phenixid.se