Creating Self-Signed SSL Certificates using OpenSSL

If you are creating an e-commerce website, you really need to use a SSL certificate signed by a Certificate Authority (CA). The CA acts as a trusted third party, providing visitors to your website a high level of confidence that they have actually reached your website. Once visitors reach your website, the SSL certificate also allows visitors to conduct their business privately, by encrypting the session.

However, there are many cases where the privacy of an encrypted SSL session is desired, but where the services of a CA are not needed. Some examples of these might be SSL-VPNs for your users, or test SSL certificates for your development websites. In these special cases, Self-Signed SSL Certificates can be used (please read the warning below).

OpenSSL is a commonly used SSL "toolkit" and is available for a variety of platforms. One of the many uses of OpenSSL is for generating certificate requests, and for signing certificates. OpenSSL can be used to create a Self-Signed SSL Certificate.

Generating a Private Key

SSL uses public-key cryptography, which consists of a public and private key pair. The first step in creating the certificate is to generate a private key. The following command generates a 1024 bit RSA private key:

openssl genrsa -out server.key 1024 

Very important: You must keep this private key secure. Typically this means putting the key in a place that no other users may access and/or setting the permissions on the file such that uses may not access the file. While it is possible to encrypt the key using the -des3 option to openssl, this is typically not done since it requires creating a passphrase, and the pass phrase must be entered any time the key is accessed. Since most of these key pairs are used by webservers at start time, a pass-phrase is typically not desired.

Generate a Certificate Request

The next step is to generate a Certificate Request. You can generate the request using the following command:

openssl req -new -key server.key -out server.csr

The above command will prompt you for a series of information. Although it is not necessary to provide all the data, you may increase the comfort level of your users if you complete the data. The following data fields are requested:

  • Country (C) - an abbreviation for your country name.
  • State (ST) - the full name of your state.
  • City (L) - the full name of your city.
  • Organization (O) - the name of your company.
  • Organizational Unit (OU) - the name of your division within your company (often blank for a small company).
  • Common Name (CN) - enter the hostname of your site here, as you plan to access it. If the name you place here doesn't match how you access the site, you may get warnings when you connect.

(Self) Signing the Certificate Request

The above steps are common with generating a certificate request to send to a CA. However, in our case, we are acting as our own CA, so we can sign the certificate request ourselves with the following command:

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

The new certificate is now ready for use. Use the server.key and the server.crt files generated above.

Viewing an Existing SSL Certificate

If you would like to view your new certificate, or perhaps examine a previous certificate, you can use the following command:

openssl x509 -noout -text -in server.crt 

Converting an OpenSSL Self-Signed Certificate for use with Windows

If you want to use your self-signed certificate on a Windows server, you can run the following command to export the certificate into a file format that Windows can import:

openssl pkcs12 -export -in server.crt -inkey server.key -out server.pfx

As you step through the SSL Wizard in Windows, you should see an option to Import a Key from a PFX file, allowing you to use the server.pfx file generated above.

Using the Self-Signed Certificate

With Self-Signed SSL Certificates, it is important to stress that it is up to the user of the certificate to confirm its authority. If the certificate is used on a development web server on your LAN, in most cases you can be confident that you are actually accessing the proper certificate and simply proceed! However, for use over the Internet, you can't always be sure you are getting to your desired site, even if you use the IP address instead of the site name! Some level of validation of the certificate should be done before the certificate is used.

(to be continued)

Comments

Since writing this article, I have found that when creating a self-signed certificate, the above steps can be consolidated into a single (long!) command:
openssl req -x509 -nodes -days 365\
-newkey rsa:1024 -keyout server.key -out server.crt

Use the server.key and the server.crt files as described above. The 'no DES' option shown avoids the prompting for a passphrase. You can even provide all the metadata on the command-line as slash-separated options to the '-subj' argument, as follows (if you want to avoid those prompts):

openssl req -x509 -nodes -days 365\
-subj '/C=country/ST=state/L=city/CN=hostname'\
-newkey rsa:1024 -keyout server.key -out server.crt

Be sure to provide the answers you would have entered above instead of 'country', 'state', 'city', and 'hostname' shown. Any of the data fields may be provided in this manner.

 

Good work, it's pleasure to read your articles. Waiting for more