Cryptography - How to self-signed a Certificate (for a test or internal server)

> Software Security > Cryptography - Key

1 - About

When a certificate is used to sign itself, it is called a self signed certificate. All root CA certificates of the certificate chain are self signed.

This article shows you how to create a self-signed SSL Certificate.

For a web site, this certificate will generate an error in the client browser because the signing certificate authority is not in the truststore. It's then unknown and not trusted.

Advertising

3 - Steps

3.1 - Create a private key

See create

  • Create a passphrase file with the value as thisIsAVeryLongSecretPassPhrase
echo thisIsAVeryLongSecretPassPhrase > pass.txt
openssl genrsa -des3 -out server.key.pem -passout file:pass.txt 1024
Loading 'screen' into random state - done
Generating RSA private key, 1024 bit long modulus
.......................................................................................................++++++
................++++++
e is 65537 (0x10001)
  • See the raw key value
cat server.key.pem
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,26D0ABB3C2436B9F

uV4Z+doL7edIAxz8QjDNwpv40Y2aX0fC8dILxEHkipto8maO4x7uugu0uY/3GUgz
2Tsdj37/wXEkEUqvmggUXrOEhw6k+GKtEXJVU0KHGVwL3zd1l4rbrJSADwlwncR7
qgozUEqg9+a5YsPwIfbjFlebTmX0UcqcmFJFjyPtZEed/SeJv+WedD3aPWa+fYMi
MBSqyncEezjqQ9XMowL4H7F1MAATrqOrF/ImDyvR/wnvfaBF2kTk8BfGQkzccwzq
YMyb6P0hgkZWgjTqMspHQBZYvpnAZx/GSV2wVImGASuIqjxKqCqw3hvpWLcennCZ
MNegQuioQYiQcWaByekkgpPUidq7bNYpzCF9+7A4AZ7iDJXZWCJq3TlQaDdd2tep
R4a8SbQ6YWYLuo9eZc1Z59Yzz+vqkqfrtXoVb5MCi0pksxHQEnNLsl3jIHTJtcrP
pHlB+23xpK7VtSiIM0QX2NPwTr63ZPs0lAgqWQT//VgM6U9QZzS1ZXI9ViDSQbxV
1kQni7d3jjrbuqS9fY3ScWa1zleZIkglNM+OIGz/X9IlS5hIY4mzQC3EL3kaT7ap
Ha5+DujMPxOduh8gSuta8F7CkSNpi2pbG1Kumi6S8zG7erhb9tqQFEK2iBTVqj4s
forAu0q5ZONCVz77V9oabejWRI3ZqlU8H3BEmcvmhvF3mHC3fw9m5y9BVniBZwrQ
AXLKUiCC2Ps8erDkhl+WPv6gXy/BtrC+tUn+ojrQLAjLTs10SDudx5Mo3iqkGF1v
MKE6Kx06p3AuOIlmo5BTEpDvxvJJ5yeSPi4Xr0dKyGbD1YmuB/+hOw==
-----END RSA PRIVATE KEY-----

3.2 - Suppress passphrase

When a server is started, it may ask for the key passphrase if it's defined. The below statement suppress it.

cp server.key.pem server.key_with_pwd.pem
openssl rsa -in server.key_with_pwd.pem -out server.key.pem -passin file:pass.txt
writing RSA key
Advertising

3.3 - Generate a CSR (Certificate Signing Request)

Generate a CSR (Certificate Signing Request)

With a configuration file ?, see the -config filename option.

  • We are using the configuration file option to pass all parameters and make the process without typing input. openssl doesn't read comments in the ini file, you need to suppress them before
config.ini
; The configuration options of the generation are specified in the req section of the configuration file. 
[ req ]
default_bits		= 1024
istinguished_name	= req_distinguished_name
attributes		= req_attributes
prompt			= no
output_password	= mypass
 
 [ req_distinguished_name ]
C			= NL
ST			= Noord-holland
L			= Oegstgeest
O			= GerardNico
OU			= Nerdy
CN			= Nico
emailAddress		= [email protected]

; Request attributes are extra attributes that will be be sent with the certificate request
[ req_attributes ]
challengePassword		= A challenge password
openssl req -new -key server.key.pem -out server.csr -passin file:pass.txt -config config.ini
Loading 'screen' into random state - done
  • The csr file is by default a Base-64 encoded PEM format.
cat server.csr
-----BEGIN CERTIFICATE REQUEST-----
MIIB/jCCAWcCAQAwgZMxCzAJBgNVBAYTAk5MMRYwFAYDVQQIDA1Ob29yZC1ob2xs
YW5kMRMwEQYDVQQHDApPZWdzdGdlZXN0MRcwFQYDVQQKDA5HZXJhcmRuaWNvLmNv
bTEPMA0GA1UECwwGU2VjcmV0MQ0wCwYDVQQDDAROaWNvMR4wHAYJKoZIhvcNAQkB
Fg9nbmljb0BnbWFpbC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANBN
wGYoOWf8Hh1RhnKj9FDaeUygQDBwCeuk1M4gNMxpoS4HqUHl/6RUraa8mX6hu59i
zRDdR0Y3aW0jePc7qKGBTE3Q01R2llcZr73WqBrmBLc3xh3nx2FnqyCTn6BEWSee
xECM/nrgLAunDW4AjnaEIUViqS2s2lZfscLvNJYXAgMBAAGgKjATBgkqhkiG9w0B
CQIxBgwEbmljbzATBgkqhkiG9w0BCQcxBgwEMTIzNDANBgkqhkiG9w0BAQsFAAOB
gQB6bEyPH9tFSqlhsXXrpmtOTj993OuK2uBOGIrFKkb8nwRCyRh7IzI8vfS2yZA8
ypfl+cQ9/bf/URrbf9hanWPNNZnKHfOFUBV9viXe3E8pMn0dbDiS2rFvYnDS3AMA
T2lU8tTxB69Eqfir0+Z0XOHEuGrBXBgX2c848fYYI+8RIg==
-----END CERTIFICATE REQUEST-----

3.4 - Signing the certificate

openssl x509 \
    -req `#input is a certificate request, sign and output` \
    -days 365 `#How long till expiry of a signed certificate - def 30 days` \
    -in server.csr \
    -signkey server.key.pem \
    -passin file:pass.txt \
    -out server.crt
Loading 'screen' into random state - done
Signature ok
subject=/C=NL/ST=Noord-holland/L=Oegstgeest/O=GerardNico/OU=Nerdy/CN=Nico/[email protected]
Getting Private key
cat server.crt
-----BEGIN CERTIFICATE-----
MIICqTCCAhICCQCfl3PFDm8ACDANBgkqhkiG9w0BAQsFADCBmDELMAkGA1UEBhMC
TkwxFjAUBgNVBAgMDU5vb3JkLWhvbGxhbmQxEzARBgNVBAcMCk9lZ3N0Z2Vlc3Qx
EzARBgNVBAoMCkdlcmFyZE5pY28xDjAMBgNVBAsMBU5lcmR5MQ0wCwYDVQQDDARO
aWNvMSgwJgYJKoZIhvcNAQkBFhlOb1dhaXRXaGF0QGdlcmFyZG5pY28uY29tMB4X
DTE4MDIxMjIyMDM1M1oXDTE5MDIxMjIyMDM1M1owgZgxCzAJBgNVBAYTAk5MMRYw
FAYDVQQIDA1Ob29yZC1ob2xsYW5kMRMwEQYDVQQHDApPZWdzdGdlZXN0MRMwEQYD
VQQKDApHZXJhcmROaWNvMQ4wDAYDVQQLDAVOZXJkeTENMAsGA1UEAwwETmljbzEo
MCYGCSqGSIb3DQEJARYZTm9XYWl0V2hhdEBnZXJhcmRuaWNvLmNvbTCBnzANBgkq
hkiG9w0BAQEFAAOBjQAwgYkCgYEAwELjH6xK2Mz2/g0Kuj/dKPFs010+4JBj+tTe
3BtJGvS+ItFrNeKXerfNtLK+XemHilIF8Zk+TRi+5h5FCruWdZBZMegoyvSzBclk
I5BOocZ3XHGpm1xyZ9xxYX9rPbbgoVAhE9rbR5StjnLwl0DSLmoiSohGzAyNXbZc
+AvcDjkCAwEAATANBgkqhkiG9w0BAQsFAAOBgQBAD8yd1rRAx+QCDUTqqgqmt8uq
inZLstSCQ0spgLwLkPCIh2+/RwxSepil4pQefJsZg3jJlRsZtdZjHPQRqQSzsRCl
gd35UMgZ8kX1IVzQdCqUboOepn07MsDPsXdcykQPlsi0Q26R+DUx5nooNdgyF4lC
s+K58eYCVEfbt/+nqw==
-----END CERTIFICATE-----
  • See
openssl x509 -in server.crt -noout -text
Certificate:                                                                                                                    
    Data:                                                                                                                       
        Version: 1 (0x0)                                                                                                        
        Serial Number:                                                                                                          
            9f:97:73:c5:0e:6f:00:08                                                                                             
    Signature Algorithm: sha256WithRSAEncryption                                                                                
        Issuer: C=NL, ST=Noord-holland, L=Oegstgeest, O=GerardNico, OU=Nerdy, CN=Nico/[email protected]    
        Validity                                                                                                                
            Not Before: Feb 12 22:03:53 2018 GMT                                                                                
            Not After : Feb 12 22:03:53 2019 GMT                                                                                
        Subject: C=NL, ST=Noord-holland, L=Oegstgeest, O=GerardNico, OU=Nerdy, CN=Nico/[email protected]   
        Subject Public Key Info:                                                                                                
            Public Key Algorithm: rsaEncryption                                                                                 
                Public-Key: (1024 bit)                                                                                          
                Modulus:                                                                                                        
                    00:c0:42:e3:1f:ac:4a:d8:cc:f6:fe:0d:0a:ba:3f:                                                               
                    dd:28:f1:6c:d3:5d:3e:e0:90:63:fa:d4:de:dc:1b:                                                               
                    49:1a:f4:be:22:d1:6b:35:e2:97:7a:b7:cd:b4:b2:                                                               
                    be:5d:e9:87:8a:52:05:f1:99:3e:4d:18:be:e6:1e:                                                               
                    45:0a:bb:96:75:90:59:31:e8:28:ca:f4:b3:05:c9:                                                               
                    64:23:90:4e:a1:c6:77:5c:71:a9:9b:5c:72:67:dc:                                                               
                    71:61:7f:6b:3d:b6:e0:a1:50:21:13:da:db:47:94:                                                               
                    ad:8e:72:f0:97:40:d2:2e:6a:22:4a:88:46:cc:0c:                                                               
                    8d:5d:b6:5c:f8:0b:dc:0e:39                                                                                  
                Exponent: 65537 (0x10001)                                                                                       
    Signature Algorithm: sha256WithRSAEncryption                                                                                
         40:0f:cc:9d:d6:b4:40:c7:e4:02:0d:44:ea:aa:0a:a6:b7:cb:                                                                 
         aa:8a:76:4b:b2:d4:82:43:4b:29:80:bc:0b:90:f0:88:87:6f:                                                                 
         bf:47:0c:52:7a:98:a5:e2:94:1e:7c:9b:19:83:78:c9:95:1b:                                                                 
         19:b5:d6:63:1c:f4:11:a9:04:b3:b1:10:a5:81:dd:f9:50:c8:                                                                 
         19:f2:45:f5:21:5c:d0:74:2a:94:6e:83:9e:a6:7d:3b:32:c0:                                                                 
         cf:b1:77:5c:ca:44:0f:96:c8:b4:43:6e:91:f8:35:31:e6:7a:                                                                 
         28:35:d8:32:17:89:42:b3:e2:b9:f1:e6:02:54:47:db:b7:ff:                                                                 
         a7:ab                                                                                                                  
Advertising

4 - Documentation / Reference