Creating a signed SSL certificate

Welcome to my Blog. I know this is a kind of abrupt beginning.  I was looking at this issue for a colleague of mine and I needed something to write about.

TLS/SSL

TLS (Transport Layer Security) or its (now deprecated) predecessor SSL (Secure socket Layer) had been around for a long time and its a basic requirement for any secure communication. An SSL certificate is like a digital key a server or service presents to have its identity verified. Sort of like a digital version of a passport for servers or services. If you are doing any kind of testing with remote servers, chances are, you had to create a certificate for testing.

Certs, not sigh!ned

Most developers use self-signed certificates. These steps are well documented. Increasingly though, many clients including web browsers simply reject self-signed certificates. The latest Chrome browser for eg, refuses to connect to sites that have a self-signed certificate. You may see a screen like below.
Btw if you must work with sites with a self-signed cert, check out Firefox (Mozilla). It still presents the handy "Do you want to bypass this?" under Advanced Tab.
Here is where CA or Certificate Authorities come into play. These are a handful of companies that are trusted to issue certificates. Sort of like Passport Agencies for the certificates world. As you can expect, if you want to get a signed cert from CA (such as Symantec, GeoTech, Entrust), they are not free services. There is in fact free service letsencrypt.org - you can get a free signed cert using CertBot or by asking a cert for a domain that you own.
So, what if you don't want to go thru the trouble of working with CA and be your CA? Well, you can do that few OpenSSL commands

Steps

  1. Create a Root certificate

$  openssl genrsa -des3 -out rootCA.key 4096
$  openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt

2. Create a certificate request

Here aws-1 is the server name you are generating the certificate for. In this simple form, this value is used in the certificate Subject CNAME. There are other ways such as Alternate Names that are deferred for now.
$ openssl genrsa -out aws-1.key 2048
$ openssl req -new -sha256 -key aws-1.key -subj "/C=US/ST=TX/O=MyOrg/CN=aws-1" -out aws-1.csr

3. Create Cert and sign with own Root CA

$  openssl x509 -req -in aws-1.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out aws-1.crt -days 365 -sha256

4. Creating PEM file (optional)

If your installation requires PEM file (as did mine), you can simply concatenate the key and cert files to generate PEM file.
$  cat rootCA.key rootCA.crt > rootCA.pem
$  cat aws-1.key aws-1.crt > aws-1.pem

5. Check the certificates out

$ openssl x509 -in rootCA.pem -text -noout
$ openssl x509 -in aws-1.pem -text -noout
Thats it! Btw, in case you haven't noticed, thats 5 steps, not 3

Leave a Reply

Your email address will not be published. Required fields are marked *