User Tools

Site Tools


openssl

Certificates

In the following sections we will encounter different types of files:

Suffix File type
.crt Certificate file.
.csr Certificate signing request. A file that you send to a Certificate Authority in order to get you certificate signed.
.key A private encryption key. Make sure that stays private!

Creating a self signed certificate

While you could always directly create the certificate it is smarter to create your own Certificate Authority first. This allows you to create multiple certificates while only needing to install the CA certificate on a client.

  1. Create you own Certificate Authority (CA)
    1. Create a private key for the CA
    2. Generate the certificate of the CA
openssl genrsa -des3 -out ca.key 4096
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt

Now that you have your very own Certificate Authority you can use it to sign the server certificate.

  1. Create a server certificate
    1. Generate a private key for the server
    2. Generate a key signing request for the server's private key
DOMAIN=www.example.org
openssl genrsa -des3 -out "$DOMAIN".secure.key 4096
openssl req -new -key "$DOMAIN".secure.key -out "$DOMAIN".csr
openssl x509 -req -days 365 -in "$DOMAIN".csr -CA ca.crt -CAkey ca.key -set_serial 01 -out "$DOMAIN".crt

Since your server does not know the password to the private server key and you want the server to be able to start and stop without interaction, you need to remove the password from the server key.

openssl rsa -in "$DOMAIN".secure.key -out "$DOMAIN".key

Make all files accessible for only yourself.

chmod u=rw,go= *

Installing a CA certificate in your web browser

Installing a CA certificate in Firefox

  1. “Edit” → “Preferences”
  2. In dialog “Preferences”
    1. Select tab “Advanced”
    2. Select sub-tab “Certificates”
    3. Open the list of certificates
    4. Click “Import”
    5. Choose the certificate file of your homemade CA
openssl.txt · Last modified: 2015/09/06 09:21 by sebastian