How To Generate Self Signed X.509 Certificates with OpenSSL?
Hi, x509 certificates are used widely by a lot of applications. Generating x509 certificates seem to be hard and rocket science, but it is not. We will generate a key named t1.key and then create a signing request from this key. After that to signed our request we will generate a self signed CA key and certificate. After that we will sing our request and generate ready to use certificate.
Create 2048 Bit RSA Key
First we need a key which must be kept secret. But for the example purpose I will show you all keys in Base64 format. Here we will generate RSA key which size is 2048 bit and we name it t1.key. Then we look type of the key file, after that I put key data into terminal.
$ openssl genrsa -out t1.key 2048
Create Certificate Sign Request
This is just the key but we should generate a Certificate Sing Request CSR to the CA which is we in this example. We use t1.key as input and t1.csr as output. We also set a symmetric key to protect our certificate sign request. To use predefined parameters like Country Name etc. give OpenSSL configuration file with -c openssl.cnf
$ openssl req -new -in t1.key -out t1.csr
Self Sign CSR
Now The CA get our CSR it will sign our CSR with his private key. But in this example we are CA and we need to create a self-signed key firstly. We create CA private key named key.pem and certificate named cert.pem which will be used to authenticate the users signed certificate. The valid time range is 365 days from now. And type is commonly used x509
$ openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365
Now sign the csr with 365 days validity and create t1.crt. While doing this to open CA private key named key.pem we need to enter password.
$ openssl x509 -req -days 365 -in t1.csr -signkey key.pem -out t1.crt
Print X.509 Certificate Information and Details
We can print our new sertificate information and details with the
-text options like below.
$ openssl x509 -in t1.crt -noout -text