{"id":441,"date":"2013-02-28T13:45:31","date_gmt":"2013-02-28T12:45:31","guid":{"rendered":"http:\/\/songoku.homelinux.com\/wordpress\/?p=441"},"modified":"2023-10-24T17:13:18","modified_gmt":"2023-10-24T15:13:18","slug":"create-self-signed-certificates-with-openssl","status":"publish","type":"post","link":"https:\/\/ndk.sytes.net\/wordpress\/?p=441","title":{"rendered":"Create self-signed certificates with OpenSSL"},"content":{"rendered":"\n

Hey, here are a few steps to create your own self-signed certificates with your own CA:<\/p>\n\n\n\n

    \n
  1. Generate your 4096 bit CA key (no password):
    # openssl genrsa -out CA.key 4096<\/em>
    or generate one with a password:
    # openssl genrsa -out CA.key 4096 -des3<\/em><\/li>\n<\/ol>\n\n\n\n

    \u200bPlease note that if someone gets this key and it’s not password protected he can generate valid certificates in your name, which is really really bad, so keep it secret!<\/strong><\/p>\n\n\n\n

      \n
    1. Generate your CA certificate:
      # openssl req -new -x509 -extensions v3_ca -key CA.key -days 10000 -out CA.crt<\/em><\/li>\n<\/ol>\n\n\n\n

      \u200bThis creates a valid CA certificate wich is valid for 10000 days. Why so long? Because when this CA expires you have to revoke and regenerate all the certificates based on this one which could be timeconsuming, but feel free to set a lower number. In order to recognize your self-signed certificates this CA must be installed on your computer which calls the website or alike. which varies between operating systems and programs.<\/span><\/p>\n\n\n\n

        \n
      1. Generate a key for the server (again with or without password, simply add -des3 if you want password protection):
        # openssl genrsa -out server.key 4096<\/em><\/li>\n\n\n\n
      2. Create A CSR (certificat signing request):
        # openssl req -new -key server.key -out server.csr\u200b<\/em><\/em><\/li>\n<\/ol>\n\n\n\n

        \u200bNow before creating a CRT file: if you need multiple domains you can specifiy them in a separate file. In my example i named it multidomains.cnf and added the following line:<\/p>\n\n\n\n

        subjectAltName=DNS:www.domain.com,DNS:mail.domain.com,DNS:domain.com,DNS:mysql.domain.com<\/p>\n\n\n\n

        Please note that you need to specify the normal domain too (domain.com) in this file and as CommonName when generating the CSR.<\/p>\n\n\n\n

          \n
        1. Generate the server certificate:
          # openssl x509 -req -in server.csr -CA CA.crt -CAkey CA.key -CAcreateserial -out server.crt -days 365<\/em>
          generate with multidomains:
          # openssl x509 -req -in server.csr -CA CA.crt -CAkey CA.key -CAcreateserial -extfile multidomains.cnf -out server.crt -days 365<\/em><\/li>\n<\/ol>\n\n\n\n

          In case you want the to do quickly a certificate, you can do it also in one line:<\/p>\n\n\n\n

          openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout server.key -out server.crt<\/code><\/code><\/pre>\n\n\n\n
          \u200bAll you have to do now is copy the server.key<\/em> and server.crt<\/em> onto your machine and configure your application to use this certificates.<\/p>\n\n\n\n
          Here are some useful sites if found about SSL:
          http:\/\/www.chainsawonatireswing.com<\/a>
          http:\/\/phaseshiftllc.com<\/a>
          http:\/\/blog.didierstevens.com<\/a>
          http:\/\/shib.kuleuven.be<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
          Hey, here are a few steps to create your own self-signed certificates with your own CA: \u200bPlease note that if someone gets this key and it’s not password protected he can generate valid certificates in your name, which is really really bad, so keep it secret! \u200bThis creates a valid CA certificate wich is valid […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,10,7,9],"tags":[],"class_list":["post-441","post","type-post","status-publish","format-standard","hentry","category-linuxunix","category-mac-osx","category-servers","category-windows"],"_links":{"self":[{"href":"https:\/\/ndk.sytes.net\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/441","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ndk.sytes.net\/wordpress\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ndk.sytes.net\/wordpress\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ndk.sytes.net\/wordpress\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/ndk.sytes.net\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=441"}],"version-history":[{"count":3,"href":"https:\/\/ndk.sytes.net\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/441\/revisions"}],"predecessor-version":[{"id":1287,"href":"https:\/\/ndk.sytes.net\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/441\/revisions\/1287"}],"wp:attachment":[{"href":"https:\/\/ndk.sytes.net\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=441"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ndk.sytes.net\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=441"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ndk.sytes.net\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=441"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}