Creation of Self Signed Certificate
1. Create a New SSL Private Key.
The key can be generated by encrypted or unencrypted manner. The encrypted key is protected by passphrase. We shall use unencrypted key to here to avoid the overhead of typing passphrase at each service restart.
Generate a new unencrypted RSA private key in PEM format.
openssl genrsa -out privkey.pem 1024
You can create an encrypted key by adding the -des3 option.
2. To make a self-signed certificate.
Create a certificate signing request (CSR) using your rsa private key:
Using this command-line invocation, you’ll have to answer a lot of questions: Country Name, State, City, and so on. The tricky question is “Common Name.” You’ll want to answer with the hostname or CNAME by which people will address the server. This is very important. If your web server’s real hostname is
mybox.mydomain.com
but people will be using ww.mydomain.com
to address the box, then use the latter name to answer the “Common Name” question.
openssl req -new -key privkey.pem -out certreq.csr
(This CSR request can be sent to root CA authority to sign for you.)
Self-sign your CSR with your own private key:
openssl x509 -req -days 3650 -in certreq.csr -signkey privkey.pem -out newcert.pem
This certificate newcert.pem is generated for 10 years (3650 days).
3. Check the content of Certificate.
You can view the contents of a CSR with:
openssl req -noout -text -in certreq.csr
You can view the contents of a certificate with:
openssl x509 -noout -text -in newcert.pem
You can display the MD5 fingerprint of a certificate with:
openssl x509 -fingerprint -noout -in newcert.pem
You can verify that your private key, CSR, and signed cert match by comparing:
openssl rsa -noout -modulus -in privkey.pem |openssl md5
openssl req -noout -modulus -in certreq.csr |openssl md5
openssl x509 -noout -modulus -in newcert.pem |openssl md5
No comments:
Post a Comment