Notes on openssl

Russell Bateman
July 2022
last update:


Links

Glossary

Notes

What is a signed certificate?

A signed certificate is an SSL/TLS certificate signed by a public or commercially private certificate authority using their root certificate authority (CA) and private key. The steps to getting a signed certificate are:

  1. Create a CSR with a private key containing details about location, organization and FQDN.
  2. Send the CSR to the trusted CA authority, plus money, and wait for the signed certificate to return.

What is a self-signed certificate?

A self-signed certificate is an SSL/TLS certificate not signed by a public or commercially private certificate authority. Instead, it's signed by the creator's own personal or root CA certificate which is free.

  1. Create a root certificate and private key containing details about (our own) location, organization and FQDN. 
    $ openssl req
         -x509                                             \   output self-signed certificate instead of certificate request
         -sha256                                           \   hash strength                                                
         -days   356                                       \   certificate's lifespan in days
         -nodes                                            \   means "no DES encryption" meaning it's not encrypted—don't use this!
         -newkey rsa:2048                                  \   creates new certificate and key                              
         -subj   "/CN=windofkeltia.com/L=Provo/ST=UT/C=US" \   subject name                                                 
         -keyout root.key                                  \   new private key's filename                                   
         -out    root.crt                                  
Generating a RSA private key
..........+++++
...................................................................+++++
writing new private key to 'root.key'
-----

openssl req -x509 sha256 -days 356 -pass:changeit -newkey rsa:2048 -subj "/CN=windofkeltia.com/L=Provo/ST=UT/C=US" -keyout root.key -out root.crt [copy this command]
  2. Create a server private key to generate a certificate signing request. openssl is majorly broken as well as ill designed and even worse documented: you have to add a key by hand. 
    $ openssl genrsa -out server.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
..........+++++
...................+++++
e is 65537 (0x010001)

openssl genrsa -out server.key 2048 [copy this command]
$ openssl rsa -des3 -in server.key -out server.key.new

openssl rsa -des3 -in server.key -out server.key.new [copy this command]
$ rm server.key
$ mv server.key.new server.key
  3. Create an SSL certificate using our own root certificate authority and private key.

    Use an editor to create a configuration file first to make this easier. Then use this file in the command. 

    $ vim csr.conf
$ openssl req -new -key server.key -out server.csr -config csr.conf
    		  
    csr.conf:

[ req ]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn

[ dn ]
C = US
ST = UT
L = Provo
O = Wind of Keltia
CN = windofkeltia.com

[ req_ext ]
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = demo.windofkeltia.com
DNS.2 = www.demo.windofkeltia.com
IP.1 = 192.168.0.101
IP.2 = 192.168.0.120

    Now create another configuration file for the certificate. Then generate the certificate with the self-signed root and other credentials we created before. 

    $ vim certificate.conf
$ openssl x509 -req                      \
               -sha256                   \
               -days    365              \
               -in      server.csr       \
               -out     server.crt       \
               -extfile certificate.conf \
               -CA      root.crt         \
               -CAkey   root.key         \
               -CAcreateserial
    		  
    certificate.conf:

authorityKeyIdentifier = keyid,issuer
basicConstraints = CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = demo.windofkeltia.com

    openssl x509 -req -sha256 -days 365 -in server.csr -out server.crt -extfile certificate.conf -CA root.crt -CAkey root.key -CAcreateserial
Signature ok
subject=C = US, ST = UT, L = Provo, O = Wind of Keltia, CN = windofkeltia.com
Getting CA Private Key
  4. Distribute the resulting certificate for installation in browsers, operating system filesystems, etc. as needed to enable TLS exchanges and/or avoid security warnings.

  5. At this point, you should have the following artifacts in your test subdirectory: 
    $ ls -lart                                                  (show relative order of file creation)
-rw-------  1 russ russ  1704 Jul 23 08:14 root.key         key in root.crt
-rw-rw-r--  1 russ russ  1245 Jul 23 08:14 root.crt         certificate by which server.crt is signed
-rw-------  1 russ russ  1751 Jul 23 08:21 server.key       key in server.crt
-rw-rw-r--  1 russ russ   345 Jul 23 08:27 csr.conf         (helper)
-rw-rw-r--  1 russ russ  1115 Jul 23 08:40 server.csr       certificate signing request for generating server.crt
-rw-rw-r--  1 russ russ   216 Jul 23 08:55 certificate.conf (helper)
-rw-rw-r--  1 russ russ    41 Jul 23 08:55 root.srl         (beats me—it just showed up)
-rw-rw-r--  1 russ russ  1294 Jul 23 08:55 server.crt       certificate to enable SSL in applications!