Create Self Signed CA certificate and Server certificates
All websites which are running with https are secured with the Public-key Infrastructure which will talk about digital certificates and digital signatures. In this Architecture CA (Certificate Authority) is responsible for issuing the certificates, These CA’s are third party organizations and they used to charge for their service. We can also create our own internal certificates which are self-signed certificates.
Why these certificates?
These certificates are used by cryptographic protocols to encrypt and decrypt the data while transferring over the network. The SSL and TSL are examples of cryptographic protocols.
These protocols are also called handshake protocols.
SSL(Secure Socket Layer)
SSL 3.0 is the last version (2018) most of the browsers are supporting.
TSL (Transport Security Layer)
TSL 1.1 and TSL 1.2 are more secure versions.
Download and install the OpenSSL from the internet. If it is binary distribution then keep the download binary under the C:\Program Files folder then add the openssl\bin\openssl.exe to the environment variable path using CMD or Windows to access from anywhere like following.
C:\> path = C:\Program Files\openssl-0.9.8h-1-bin\bin
- Create a folder where you want to create CA and Server certificates
- Let create a folder called CA under the C directory. like C:\CA then go to the CA directory from the command prompt.
- Now add the 2 environment variables from the CMD under the C:\CA directory.
C:\CA> set RANDFILE = .rnd
C:\CA> set OPENSSL_CONF = C:\Program Files\openssl-0.9.8h-1-bin\share\openssl.cnf
- Then type the “openssl” and press the enter key that will take you to the OpenSSL environment file following.
C:\CA>openssl (press the enter key from keyboard)
CA certificate creation:
- Generate the CA key file by using the following command.
openssl>genrsa -out ca.key 4096
It generates a 4096-bit long RSA key for our root CA and stores it in file ca.key or you can also name it as ca.pem.
If you want to protect this key with a password and encryption then add the
-des3then the command looks like the following.
openssl>genrsa -des3 -out ca.key 4096
- Now we will create a root CA certificate called ca.crt with the help of ca.key file using the following cmd, we also need to provide an identity while generating the root CA certificate.
openssl>req -new -x509 -days 365 -sha256 -extensions v3_ca -key ca.key -out ca.crt
-x509 option is used for a self-signed certificate.
-days 365 is the certificate valid for 1 year.
-sha256 is the signature hashing algorithm if we will not provide this it consider sha1 as the signature hashing algorithm.
-extensions v3_ca since we are creating a self-signed certificate using x509, the v3_ca defines the following extensions to add to a self-signed certificate. those are
subjectKeyIdentifier = subjectkeyidentifier
authorityKeyIdentifier = authoritykeyidentifier
basicConstraints = basicconstraints
keyUsage = keyusage
subjectAltName = subjectaltname
issuerAltName = issueraltname
Sever Certificate Creation:
- Generate a key file by using the following commands.
openssl>genrsa -out server.key 4096or
openssl>genrsa -aes256 -out server.key 4096
the key encrypted with
-des3and strong password.
- Generate signing request file with the following command.
openssl>req -new -sha256 -key server.key -out server.csr
-sha256 is optional if it is not passed then it will consider sha1 as default signature hashing.
NOTE: While creating csr certificate it will ask common name that should be different from the name which we provide on CA certificate creation. otherwise, it will throw an error while creating the PKCS12 or .p12 file.
- Generate the server certificate with the following command. (Signing the certificate with the root ca)
openssl>x509 -req -days 730 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
-set_serial will set the custom serial number for the certificate, otherwise, it will generate the random serial number. In the above, I let the tool create a random serial number while generating the CA certificate, here it is setting the serial number as 01.
finally packing all certificates by using the following command.
openssl>pkcs12 -export -out server.p12 -inkey server.key -in server.crt -chain -CAfile ca.crt
In the end, we can take this .p12 file and can configure it to your websites to enable HTTPS.