How to Generate Self Signed Certificate Using your Custom CA.

By | April 23, 2020

Many times you must be in a need of using a self signed SSL certificate, may be for your apache or nginx webservers. In this article we will see how to generate the Self Signed Certificate using your Custome CA. 

Using your own Root CA, you can sign and approve as many as Certificates you want. Let’s see how we can do that.

Step 1: Create the Root Key (Root CA)

Note:

  • Root Key is generated Only Once
  • Root key is used to sign any number of Certificate requests.
  • Any one gets this certificate and password can sign any number of certificates on your behalf.
  • Make sure you keep this Key at safe place and keep it lock using password

To generate the key, execute the below command.

 # openssl genrsa -out DemoDevOpsRootCA.key 4096 

Note: 

If you want the password protected key then use -des3 Option, so the command would be something like below.

# openssl genrsa -des3 -out DemoDevOpsRootCA .key 4096 

Step 2: Create Root certificate and Self Sign it.

Next step is to create the root certificate using the Root key which we created in step 1. This root certificate will be used further to trust us.

# openssl req -x509 -new -nodes -key DemoDevOpsRootCA.key -sha256 -days 1825 -out DemoDevOpsRootCA.crt
You are about to be asked to enter information that will be incorporated
 into your certificate request.
 What you are about to enter is what is called a Distinguished Name or a DN.
 There are quite a few fields but you can leave some blank
 For some fields there will be a default value,
 If you enter '.', the field will be left blank.
 Country Name (2 letter code) [XX]:US
 State or Province Name (full name) []:California
 Locality Name (eg, city) [Default City]:sanjose
 Organization Name (eg, company) [Default Company Ltd]:devopsage technologies
 Organizational Unit Name (eg, section) []:DIT
 Common Name (eg, your name or your server's hostname) []:devopsage.com
 Email Address []:[email protected]

Here we have generated root certificate for 5 years.

Now once we have create Root Key and Root certificate, now It’s time to create a Self Signed Certificate. Creating Self Sign certificate requires to create 

Step 3: Create the Certificate key

This need to be created for all your domain for which you are planning to generate self signed certificate.

# openssl genrsa -out xyzdomain.com.key 2048

Step 4: Create CSR – Certificate Signing Request

Method: 1

CSR is nothing but, here you define the details of the for the certificate which you wanted to generate, like country name, domain, locality, company name etc.
In general when you wanted to buy the SSL certificate you need to generate the Certificate key (step 3) and CSR (step 4). This CSR contains your Information and this is processed by the Root CA key in order to generate the valid SSL certificate.

Note:

  • In this case we ourself is the Root CA
  • Make Sure you pass you valid Domain Name when asked for the Common Name or else certificate can not be verified.
# openssl req -new -key xyzdomain.com.key -out xyzdomain.com.csr

Make Sure to fill all required details, When asked for Common Name give your correct domain, this is very important or else your details will not be verified.

Method 2: 

You can put all the required details on the file and create both CSR and Private key all together. 

# vim key-csr.cnf

Put all details in the file as below.

[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = US
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = California
localityName = Locality Name (eg, city)
localityName_default = MenloPark
organizationName = Organization Name (eg, company)
organizationName_default = DevOpsAGE Technologies
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = DSAT
commonName = youractualdomain.com
commonName_default = youractualdomain.com
[ req_ext ]

For the case of Wildcard certificate use *.youractualdomain.com

Note: When buying Certificate from any of the Authorized Certificate Authority, you just need to generate the private key and CSR and share it with CA. They will provide you with the valid certificate.

# openssl req -out mydomain.com.csr -newkey rsa:2048 -nodes -keyout mydomain.com.key -config  key-csr.cnf 

Step 5: Verifiy the Content of CSR

Execute the below command to verify the content of CSR

# openssl req -in xyzdomain.com.csr -noout -text

Step 6: Generate the SSL Certificate Using the CSR, private Key and Root CA.

Use the below command to generate the SSL certificate. Created certificate is valid for 365 days.

# x509 -req -in xyzdomain.com.csr -CA DemoDevOpsRootCA.crt -CAkey DemoDevOpsRootCA.key -CAcreateserial -out xyzdomain.com.crt -days 365 -sha256

 Signature ok
 subject=/C=US/ST=Calafornia/L=menlopark/O=xyz technologies/OU=xyz/CN=xyzdomain.com/[email protected]
 Getting CA Private Key

Step 7: Verify the Certificate Content and Expiry Date

# openssl x509 -in xyzdomain.com.crt -text -noout
# openssl x509 -in xyzdomain.com.crt -text -noout | grep -A2 Validity

Now your self signed certificate is ready to be used in Web/App Servers.

Leave a Reply

Your email address will not be published. Required fields are marked *