Friday, June 11, 2021

Creating a Self Signed Certificate with RootCA using openssl

 Introduction

Over the years I have lost count of the number of times I have had to create a self-signed certificate for one reason or another and every time I do it I have forgotten the various commands to create one so I thought I would actually write them down in a small blog post that I can refer back to without going through an internet search engine to find the answers.  :-)


The Root CA

It is handy to create a single root CA sometimes then this can be distributed to the various trust stores and all certs created using this rootCA are then trusted.  

1. Create a root CA key file

$ openssl genrsa -out rootCA.key 4096

2. Create and sign the root certificate.

$ openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt

This will create a file called rootCA.crt.  This can be used to put into trust stores.
For Debian/Ubuntu copy this file to /usr/local/share/ca-certificates/ and run the command update-ca-certificates

$ sudo cp rootCA.crt /usr/local/share/ca-certificates
$ sudo update-ca-certificates


The Certificate (With SANs)

First create a file with the details you want in the certificate.  Specifically any Subject Alternative Names you want the certificate to be created with.


$ cat myhost-sans.cnf
[ req ]
distinguished_name = req_distinguished_name
req_extensions     = req_ext
[ req_distinguished_name ]
countryName                = Two Letter code
stateOrProvinceName        = State or Province
localityName               = Area or City
organizationName           = Organisation
commonName                 = myhost.my-domain.com
[ req_ext ]
subjectAltName = @alt_names
[ v3_ca ]
subjectAltName = @alt_names
[alt_names]
DNS.1   = myhost.mydomain.com
DNS.2   = myhost
DNS.3   = my-alternative-name.mydomain.com

When creating a certificate the above file can be used to create the Certificate Signing Request.  What is needed when getting a "real" certificate from an authority.  However openssl will not add the SANs to the certificate it creates unless we actively specify it to do so with another file.  

$ cat myhost-cert-sans.cnf
[v3_ca]
subjectAltName = DNS:myhost.mydomain.com, DNS:my-host, DNS: my-alternative-name.mydomain.com

Now we are ready to create the certificate.

1. Create the key file

$ openssl genrsa -out my-cert.key 2048

2. Create and Sign the certificate signing request

$ openssl req -new -sha256 -key my-cert.key -config ./myhost-sans.cnf -out my-host.csr

This will interactively prompt you for the various certificate names.    We can check the content of the certificate signing request

$ openssl req -in my-host.csr -noout -text

3. Assuming all looks OK then we can use this to generate the certificate.

$ openssl x509 -req -in my-host.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out my-host.crt -days 1024 -sha256 -extensions v3_ca -extfile myhost-cert-sans.cnf

This will create the certificate file my-host.crt which can then be used to encrypt your website, image repository, REST end point etc.

You can check the certificate in the same way that was done for the request.

$ openssl x509 -in my-host.crt -noout -text