In this post we’ll look at how to create our own Host Certificates using OpenSSL. These certificates can be used on web-servers for enabling TLS.
A valid CA Certificate and Private key will be required to follow this tutorial. If you do not have these, you can create them by following this guide.
- Generating a Private Key
- Generating a Certificate Signing Request (CSR)
- Generating a Certificate
- Using the Certificate
Generating a Private Key
The first step is to create a Private key for our certificate. We can choose either an RSA key or an Elliptic Curve key.
The following command will display a list of supported OpenSSL elliptic curves. We’ll need to choose one of these curves when we are generating our Private key.
1 openssl ecparam -list_curves
1 openssl ecparam -genkey -name secp384r1 -out host.key
secp384r1is the name of the curve we are using.
host.keyis the name of the output file where we want to store the Private key.
The following command will generate a 2048-bit RSA key:
1 openssl genrsa -out host.key
2048-bits is the standard size. A custom key size can be specified by giving an extra argument. The following command will generate a 4096-bit RSA key:
1 openssl genrsa -out host.key 4096
Generating a Certificate Signing Request (CSR)
We need to specify some parameters for our certificate before we can create it.
Create a file called
host.conf and add the following:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 [req] default_md = sha512 basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment [req] distinguished_name = req_distinguished_name req_extensions = req_ext prompt = no [req_distinguished_name] C = AU ST = Victoria L = Melbourne O = My Company OU = My Division CN = testing.com [req_ext] subjectAltName = @alt_names [alt_names] DNS.1 = testing.com DNS.2 = *.testing.com
- Customize the
CNto your desired values.
CN (Common Name) field will be displayed when your computer shows the certificate path:
DNS.* fields represent other domains that this certificate will also be valid for. Remember that a certificate valid for
*.testing.com is NOT valid for
testing.com, so it must be added separately.
We are now ready to create a certificate signing request (CSR) using the private key and config we just created. The CSR will then need to be signed by a CA before it can be used.
1 openssl req -new -sha512 -nodes -key host.key -out host.csr -config host.conf
Generating a Certificate
We need to specify some extra parameters so that our final certificate will be fully trusted X.509 Cert.
Create a file called
host-ext.conf and add the following:
1 2 3 4 5 6 7 8 9 10 11 basicConstraints = CA:FALSE nsCertType = server nsComment = "My First Certificate" subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always keyUsage = nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1 = testing.com DNS.2 = *.testing.com
- Update the
DNS.*fields to your desired values.
We are now ready to sign the CSR using a CA and 2nd config file we created. The output will be our Certificate that is ready to be used.
1 openssl x509 -req -sha512 -days 45 -in host.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out host.crt -extfile host-ext.conf
Using the Certificate
The output files
host.crt are now ready to be used for a HTTPS server. If your browser trusts the Root CA that was used to sign the CSR then the host certificate will be valid and trusted.