OpenSSL Creating a Host Certificate
In this post we’ll look at how to create our own Host Certificates using OpenSSL. These certificates can be used on web-servers for enabling TLS.
A valid CA Certificate and Private key will be required to follow this tutorial. If you do not have these, you can create them by following this guide.
- Generating a Private Key
- Generating a Certificate Signing Request (CSR)
- Generating a Certificate
- Using the Certificate
Generating a Private Key
The first step is to create a Private key for our certificate. We can choose either an RSA key or an Elliptic Curve key.
List OpenSSL Supported Elliptic Curves
The following command will display a list of supported OpenSSL elliptic curves. We’ll need to choose one of these curves when we are generating our Private key.
1
openssl ecparam -list_curves
Elliptic Curve Private Key
1
openssl ecparam -genkey -name secp384r1 -out host.key
secp384r1is the name of the curve we are using.host.keyis the name of the output file where we want to store the Private key.
RSA Private Key
The following command will generate a 2048-bit RSA key:
1
openssl genrsa -out host.key
2048-bits is the standard size. A custom key size can be specified by giving an extra argument. The following command will generate a 4096-bit RSA key:
1
openssl genrsa -out host.key 4096
Generating a Certificate Signing Request (CSR)
CSR Configuration File
We need to specify some parameters for our certificate before we can create it.
Create a file called host.conf and add the following:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
[req]
default_md = sha512
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[req]
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no
[req_distinguished_name]
C = AU
ST = Victoria
L = Melbourne
O = My Company
OU = My Division
CN = testing.com
[req_ext]
subjectAltName = @alt_names
[alt_names]
DNS.1 = testing.com
DNS.2 = *.testing.com
- Customize the
C,ST,L,O,OUandCNto your desired values.
The CN (Common Name) field will be displayed when your computer shows the certificate path:
The DNS.* fields represent other domains that this certificate will also be valid for. Remember that a certificate valid for *.testing.com is NOT valid for testing.com, so it must be added separately.
Creating the CSR
We are now ready to create a certificate signing request (CSR) using the private key and config we just created. The CSR will then need to be signed by a CA before it can be used.
1
openssl req -new -sha512 -nodes -key host.key -out host.csr -config host.conf
Generating a Certificate
Configuration File
We need to specify some extra parameters so that our final certificate will be fully trusted X.509 Cert.
Create a file called host-ext.conf and add the following:
1
2
3
4
5
6
7
8
9
10
11
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "My First Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = testing.com
DNS.2 = *.testing.com
- Update the
nsCommentandDNS.*fields to your desired values.
Signing the CSR
We are now ready to sign the CSR using a CA and 2nd config file we created. The output will be our Certificate that is ready to be used.
1
openssl x509 -req -sha512 -days 45 -in host.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out host.crt -extfile host-ext.conf
Using the Certificate
The output files host.key and host.crt are now ready to be used for a HTTPS server. If your browser trusts the Root CA that was used to sign the CSR then the host certificate will be valid and trusted.