SSL Certificate 101
How to generate a self-signed certificate
If you wish to generate a certificate from an actual Certificate Authority then the flow is done like such:
I will only be explaining how to generate a self-signing certificate because the process is essentially the same, except that you abstract out the CA as a thirty party that will handle the request for you automatically.
To create create a self-signed certificate (a certificate that's signed by a CA that YOU own) this is the steps:
1. Create your own root CA certificate and root CA private key
To get started with creating self-signed certificate you will need to first create your root CA private key and root CA certificate.
Running the following command will generate a private key and name the file asĀ server.key to indicate that this is the private key for the server.
openssl genrsa -out root.keyTo generate the root CA certificate run the following command:
openssl req -x509 -days 365 -key root.key -out root.cerThis will generate a root certificate with the server private key that's valid for 365 days. You can validate this certificate by running and you can see the expiration date of this certificate.
openssl x509 -in root.cer -textNote that you must provide a common name field in order to validate the certificate trust chain.
2. Create your server private key and certificate signing request
Go ahead and generate your server's private key with the following command.
openssl genrsa -out server.keyNow then you will need to create a certificate signing request with your server's private key.
openssl req -new -key server.key -out server.csrWhen prompted to enter in a common name field you will also need to enter it in otherwise, you cannot validate the certificate trust chain.
3. Use CSR to create server certificate
The following command will use the certificate signing request (who to sign the certificate for) and the root server's certificate information and the private key to create a server certificate signed by the root CA hosted by ourselves.
openssl x509 -req -in server.csr -CA root.cer -CAkey root.key -CAcreateserial -out server.crt -days 3654. Validate certificate chain
Finally, to validate that the output server certificate is indeed created and signed by the root server we can run the following command:
openssl verify -CAfile root.cer server.crtIf everything is good, then you should see the outputĀ server.crt: OK
What is Self-Signed Certificate
All root CA certificates are self-signed in the sense that the root CA certificate is created using the certificate's own private key. Nothing special about them besides that the organization owns them are a trusted entity by the general public and have good reputation in owning and issuing out certificates.
You can also generate your own self-signed certificate.
What is PEM files
https://origin-blog.mediatemple.net/work-life/ssl-certificate-101-everything-you-need-to-know/
- What is PEM files
- What is X.509 file types
- How the hell does certificate work
1 Comment
https://robertheaton.com/2014/03/27/how-does-https-actually-work/ Super helpful in explaining how https actually works.