Home OpenSSL Creating a Host Certificate
Post
Cancel

OpenSSL Creating a Host Certificate

In this post we’ll look at how to create our own Host Certificates using OpenSSL. These certificates can be used on web-servers for enabling TLS.

A valid CA Certificate and Private key will be required to follow this tutorial. If you do not have these, you can create them by following this guide.

  1. Generating a Private Key
  2. Generating a Certificate Signing Request (CSR)
  3. Generating a Certificate
  4. Using the Certificate

Generating a Private Key

The first step is to create a Private key for our certificate. We can choose either an RSA key or an Elliptic Curve key.

List OpenSSL Supported Elliptic Curves

The following command will display a list of supported OpenSSL elliptic curves. We’ll need to choose one of these curves when we are generating our Private key.

1
openssl ecparam -list_curves

Elliptic Curve Private Key

1
openssl ecparam -genkey -name secp384r1 -out host.key
  • secp384r1 is the name of the curve we are using.
  • host.key is the name of the output file where we want to store the Private key.

RSA Private Key

The following command will generate a 2048-bit RSA key:

1
openssl genrsa -out host.key

2048-bits is the standard size. A custom key size can be specified by giving an extra argument. The following command will generate a 4096-bit RSA key:

1
openssl genrsa -out host.key 4096

Generating a Certificate Signing Request (CSR)

CSR Configuration File

We need to specify some parameters for our certificate before we can create it.

Create a file called host.conf and add the following:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
[req]
default_md = sha512
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[req]
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no
[req_distinguished_name]
C   = AU
ST  = Victoria
L   = Melbourne
O   = My Company
OU  = My Division
CN  = testing.com
[req_ext]
subjectAltName = @alt_names
[alt_names]
DNS.1 = testing.com
DNS.2 = *.testing.com
  • Customize the C, ST, L, O, OU and CN to your desired values.

The CN (Common Name) field will be displayed when your computer shows the certificate path:

The DNS.* fields represent other domains that this certificate will also be valid for. Remember that a certificate valid for *.testing.com is NOT valid for testing.com, so it must be added separately.

Creating the CSR

We are now ready to create a certificate signing request (CSR) using the private key and config we just created. The CSR will then need to be signed by a CA before it can be used.

1
openssl req -new -sha512 -nodes -key host.key -out host.csr -config host.conf

Generating a Certificate

Configuration File

We need to specify some extra parameters so that our final certificate will be fully trusted X.509 Cert.

Create a file called host-ext.conf and add the following:

1
2
3
4
5
6
7
8
9
10
11
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "My First Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = testing.com
DNS.2 = *.testing.com
  • Update the nsComment and DNS.* fields to your desired values.

Signing the CSR

We are now ready to sign the CSR using a CA and 2nd config file we created. The output will be our Certificate that is ready to be used.

1
openssl x509 -req -sha512 -days 45 -in host.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out host.crt -extfile host-ext.conf

Using the Certificate

The output files host.key and host.crt are now ready to be used for a HTTPS server. If your browser trusts the Root CA that was used to sign the CSR then the host certificate will be valid and trusted.

This post is licensed under CC BY 4.0 by the author.