How To Generate Self Signed X.509 Certificates with OpenSSL? – POFTUT

How To Generate Self Signed X.509 Certificates with OpenSSL?

by

Hi, x509 certificates are used widely by a lot of applications. Generating x509 certificates seem to be hard and rocket science, but it is not. We will generate a key named t1.key and then create a signing request from this key. After that, to sign our request we will generate a self-signed CA key and certificate. After that, we will sing our request and generate ready to use the certificate.

Create 2048 Bit RSA Key

First, we need a key which must be kept secret. But for the example purpose, I will show you all keys in Base64 format. Here we will generate RSA key which size is 2048 bit and we name it t1.key. Then we look type of the key file, after that, I put key data into the terminal. We will use -out option to specify the key file name.

$ openssl genrsa -out t1.key 2048
Create 2048 Bit RSA Key 
Create 2048 Bit RSA Key

Create Certificate Sign Request

This is just the key but we should generate a Certificate Sing Request CSR to the CA which is we in this example. We use t1.key as input and t1.csr as output. We also set a symmetric key to protect our certificate sign request. To use predefined parameters like Country Name etc. give OpenSSL configuration file with -c openssl.cnf

$ openssl req -new -in t1.key -out t1.csr
Create Certificate Sign Request
Create Certificate Sign Request

Self Sign CSR

Now The CA get our CSR it will sign our CSR with his private key. But in this example we are CA and we need to create a self-signed key firstly. We create a CA private key named key.pem and certificate named cert.pem which will be used to authenticate the users signed certificate. The valid time range is 365 days from now. And type is commonly used x509

$ openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365

Now sign the CSR with 365 days validity and create t1.crt. While doing this to open CA private key named key.pem we need to enter a password.

$ openssl x509 -req -days 365 -in t1.csr -signkey key.pem -out t1.crt
Self Sign CSR
Self Sign CSR

Print X.509 Certificate Information and Details

We can print our new certificate information and details with the -noout and -text options like below.

$ openssl x509 -in t1.crt -noout -text
Print X.509 Certificate Information and Details
Print X.509 Certificate Information and Details

We can see that from the screenshot following information is provided.

  • `Certificate Version`
  • `Serial Number`
  • `Issuer`
  • `Validity`
  • `Subject`
  • `Subject Public Key Info`
  • `Public Key Algorithm`
  • `Public Key`
  • `Modulus`
  • `Exponent`
  • `Signature Algorithm`
LEARN MORE  How To Chown Recursively In Linux?

Leave a Comment