Creating a Self-Signed Certificate: Difference between revisions
DrEdWilliams (talk | contribs) (Created page with "You can do that in one command: openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 You can also add '''-nodes''' if you don't want to protect your p...") |
DrEdWilliams (talk | contribs) mNo edit summary |
||
| Line 1: | Line 1: | ||
== Standard Certificates == | |||
You can do that in one command: | You can do that in one command: | ||
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 | openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes | ||
The '''-nodes''' option disables protecting your cert with a passphrase, otherwise it will prompt you for "at least a 4 character" password. The days parameter (365) you can replace with any number to affect expiration date. It will then prompt you for things like "Country Name" but you can just hit enter and accept defaults. | |||
Self-signed certs are not validated with any third party unless you import them to the browsers previously. If you need more security, you should use a certificate signed by a CA | Self-signed certs are not validated with any third party unless you import them to the browsers previously. If you need more security, you should use a certificate signed by a CA | ||
Add '''-subj '/CN=localhost'''' to suppress questions about the contents of the certificate (replace localhost with your desired domain) | Add '''-subj '/CN=localhost'''' to suppress questions about the contents of the certificate (replace localhost with your desired domain) | ||
Reading/Verifying a certificate | == Creating a Cert with a SAN == | ||
(from https://geekflare.com/san-ssl-certificate/) | |||
Create a file named ''san.cnf'' with the following information: | |||
<pre>[ req ] | |||
default_bits = 2048 | |||
distinguished_name = req_distinguished_name | |||
req_extensions = req_ext | |||
[ req_distinguished_name ] | |||
countryName = Country Name (2 letter code) | |||
stateOrProvinceName = State or Province Name (full name) | |||
localityName = Locality Name (eg, city) | |||
organizationName = Organization Name (eg, company) | |||
commonName = Common Name (e.g. server FQDN or YOUR name) | |||
[ req_ext ] | |||
subjectAltName = @alt_names | |||
[alt_names] | |||
DNS.1 = bestflare.com | |||
DNS.2 = usefulread.com | |||
DNS.3 = chandank.com</pre> | |||
Note: alt_names section is the one you have to change for additional DNS. You can also use ''IP.1'' entries to insert IP addresses as SANs | |||
Save the file and execute the following OpenSSL command, which will generate CSR and KEY file | |||
openssl req -out sancert.csr -newkey rsa:2048 -nodes -keyout sancert.key -config san.cnf | |||
This will create sslcert.csr and private.key in the present working directory. Then you can turn that CSR into a certificate using this command: | |||
openssl x509 -req -days 365 -in sancert.csr -signkey sancert.key -sha256 -out sancert.crt | |||
== Converting .pem to .crt == | |||
In most cases, a simple copy or rename will suffice, but if necessary, use openssl to convert the certificate: | |||
openssl x509 -in sancert.crt -out sancert.pem -outform PEM | |||
== Reading/Verifying a certificate == | |||
openssl x509 -in | openssl x509 -in cert.pem -text -noout | ||
Revision as of 16:25, 22 May 2021
Standard Certificates
You can do that in one command:
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
The -nodes option disables protecting your cert with a passphrase, otherwise it will prompt you for "at least a 4 character" password. The days parameter (365) you can replace with any number to affect expiration date. It will then prompt you for things like "Country Name" but you can just hit enter and accept defaults. Self-signed certs are not validated with any third party unless you import them to the browsers previously. If you need more security, you should use a certificate signed by a CA
Add -subj '/CN=localhost' to suppress questions about the contents of the certificate (replace localhost with your desired domain)
Creating a Cert with a SAN
(from https://geekflare.com/san-ssl-certificate/)
Create a file named san.cnf with the following information:
[ req ] default_bits = 2048 distinguished_name = req_distinguished_name req_extensions = req_ext [ req_distinguished_name ] countryName = Country Name (2 letter code) stateOrProvinceName = State or Province Name (full name) localityName = Locality Name (eg, city) organizationName = Organization Name (eg, company) commonName = Common Name (e.g. server FQDN or YOUR name) [ req_ext ] subjectAltName = @alt_names [alt_names] DNS.1 = bestflare.com DNS.2 = usefulread.com DNS.3 = chandank.com
Note: alt_names section is the one you have to change for additional DNS. You can also use IP.1 entries to insert IP addresses as SANs
Save the file and execute the following OpenSSL command, which will generate CSR and KEY file
openssl req -out sancert.csr -newkey rsa:2048 -nodes -keyout sancert.key -config san.cnf
This will create sslcert.csr and private.key in the present working directory. Then you can turn that CSR into a certificate using this command:
openssl x509 -req -days 365 -in sancert.csr -signkey sancert.key -sha256 -out sancert.crt
Converting .pem to .crt
In most cases, a simple copy or rename will suffice, but if necessary, use openssl to convert the certificate:
openssl x509 -in sancert.crt -out sancert.pem -outform PEM
Reading/Verifying a certificate
openssl x509 -in cert.pem -text -noout