A self-signed certificate is very useful for us when we are in a development or closed environment and require a secure communication channel between nodes in our system like implementing HTTPS for client-server communication. To make our self-signed certificate to be recognized by all nodes in the system, we should generate the CA certificate and distribute it to all nodes. This CA certificate is used to verify and determine the issuer of the self-signed certificate. It is like a stamp on a certificate that ensures the certificate is issued by the authority informed in the certificate itself. OpenSSL CLI tool will be used for this purpose. The following steps can be run to generate valid self-signed and CA certificates.
- Generate a private CA key
- Generate a public CA certificate
- Generate a private key for the target server
- Generate a CSR for the server
- Generate a public server certificate and sign it with the CA certificate
Before we start the certificate generation, we should create a directory and run all commands inside the directory to store all results in it. We may only generate CA-related certificates once so that we can store the CA certificates directly in the root of the directory. But, we may have multiple servers and require multiple server-related certificates. So, we can put the server certificates in a sub-directory for each server. The structure is illustrated in the content below.
certs/
ca.key
ca.crt
server1/
server.key
server.csr
server.crt
server2/
server.key
server.csr
server.crt
Generate a private key for the CA
We can run the following command. By setting it to use DES3, we should set a password for the private key.
openssl genrsa -des3 -out ca.key 2048
Generate a public certificate for the CA
We can generate the public certificate with the following command. When we run the following command, some required data will be prompted on the terminal. Note that the FQDN should be a domain name aligned with how the target server will be accessed. The IP address of the server is also allowed for the FQDN.
openssl req -x509 -new -nodes –key ca.key –sha256 -days 365 –out ca.crt
The following capture is an example of the required data we need to fill in.
Generate a private key for the target server
We can generate the key with the following command. We don't set any encryption for flexibility while it is implemented in a web server engine or other applications.
openssl genrsa -out server1/server.key 2048
Generate the server CSR
The following command will start the CSR generation and prompt several required data to be filled. But, this time, the data is about the target server, not the CA. We can leave blank the requested challenge password.
openssl req -new -key server1/server.key -out server1/server.csr
Generate a public certificate and sign it with the CA certificate
After we have the server CSR, we can generate the public certificate and sign it with CA certificates. We can run the following command and fill in the password of the CA key when it is prompted.
openssl x509 -req -in server1/server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server1/server.crt -days 365 -sha256
If we apply the certificates on a web server that serves a web application, we can see the certificate information from the browser tool.
Comments
Post a Comment