Commands and configuration file to create self-signed certificates. Configurations files are in etc
directory.
This material is based on many websites explaining the method. It has simplified as much as possible the whole process and configuration options.
NOTE :
- you will still get warnings saying that the certificate is untrusted. As your CA cert is not in the trusted root CA list by your browser, the device doesn't trust your servers certificate.
- The config file have a section to define the Subject Alternative Name (SAN) extension.
- Most documentation use two configuration files. We decided to group everything in one only.
$ git clone https://github.com/gabx/self-signed-certificate.git
$ cd self-signed-certificate
$ echo '01' > serial && touch index.txt
$ cp /dev/null index.txt.attr
Then you must edit the self-sign.conf configuration file according to your need.
The first step is to become a stand-alone Certificate Authority (CA) which will sign as many certificates as you like.
$ openssl genrsa -des3 -out myCA.key 2048
Ignore the -des3
option to remove password protection.
$ openssl req -x509 -config etc/self-sign.conf -new -key myCA.key -out myCAcert.pem
You should now have two files: myCA.key (your private key) and myCAcert.pem (your root certificate). Do not change their names, or if so, change it too in the sel-sign.conf file.
$ openssl genrsa -des3 -out MyFQDN.key 2048
###Generate a certificate sign request
The CSR is sent to a Certificate Authority, that verifies the identity of the requestor and issues a signed certificate. In our case, WE are the Certificate Authority. Questions are already answered with what you indicated in self-sign.conf. You only have to confirm by pressing the Enter
key.
openssl req -config etc/self-sign.conf -new -key MyFQDN.key -out MyFQDN.csr
Now it is time to put everything together and do the magic:
openssl x509 -req -in MyFQDN.csr -CA myCAcert.pem -CAkey myCA.key -CAcreateserial -out MyFQDN.crt.pem -days 3650 -sha256 -extfile etc/self-sign.conf
openssl x509 -in MyFQDN.crt.pem -text -noout
On certain occasion, you will be asked to give a base 64 encoded certificate. Here is the command to run:
cat MyFQDN.crt.pem | base64 -w 0
$ openssl verify -CAfile myCA.pem MyFQDN.crt.pem
MyFQDN.crt.pem:OK