Tag Archives: PKI

Generating SSL certificates

** The (self-signed) SSL certificate generated by the procedure mentioned in this article should be used for testing purpose only **

Generating an SSL certificate is very simple. All you need is openssl package installed on your system. A key point to note here is that SSL certificates contain public key, which is always generated in pair with a private key. Here is the step-by-step procedure to generate one:

  1. Private key
    Lets first generate a 2048-bit RSA private key.

    openssl genrsa -out privkey.pem 2048

    $ openssl genrsa -out privkey.pem 2048
    Generating RSA private key, 2048 bit long modulus
    unable to write 'random state'
    e is 65537 (0x10001)
    $ ls

    So, we have the private key in place. This will be used to generate the certificate.

    If “unable to write ‘random state'” bothers you, then check this out for a possible solution: http://stackoverflow.com/a/94458

  2. The self-signed certificate
    A certificate can now be generated using the following command.

    openssl req -new -x509 -key privkey.pem -out cacert.pem -days 1095

    $ openssl req -new -x509 -key privkey.pem -out cacert.pem -days 1095
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    Country Name (2 letter code) [AU]:XX
    State or Province Name (full name) [Some-State]:XX
    Locality Name (eg, city) []:XX
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:XX
    Organizational Unit Name (eg, section) []:XX
    Common Name (e.g. server FQDN or YOUR name) []:XX
    Email Address []:XX
    $ ls
    cacert.pem  privkey.pem

These files can easily be tested by starting a test SSL/TLS server (s_server(1) and connecting to it using a client (s_client(1)).

$ openssl s_server -port <port> -cert /path/to/cacert.pem -key /path/to/privkey.pem

$ openssl s_client -host <server-host> -port <server-port> -key /path/to/privkey.pem

Reference : https://www.openssl.org/docs/HOWTO/
Thats all!