Create Self Signed CA certificate and Server certificates


All websites which are running with https are secured with the Public-key Infrastructure which will talk about digital certificates and digital signatures. In this Architecture CA (Certificate Authority) is responsible for issuing the certificates, These CA’s are third party organizations and they used to charge for their service. We can also create our own internal certificates which are self-signed certificates.

Why these certificates?

These certificates are used by cryptographic protocols to encrypt and decrypt the data while transferring over the network. The SSL and TSL are examples of cryptographic protocols.

These protocols are also called handshake protocols.

SSL(Secure Socket Layer)

SSL 3.0 is the last version (2018) most of the browsers are supporting.

TSL (Transport Security Layer)

TSL 1.1 and TSL 1.2 are more secure versions.

Environment setup:

Download and install the OpenSSL from the internet. If it is binary distribution then keep the download binary under the C:\Program Files folder then add the openssl\bin\openssl.exe to the environment variable path using CMD or Windows to access from anywhere like following.

  1. Create a folder where you want to create CA and Server certificates
  2. Let create a folder called CA under the C directory. like C:\CA then go to the CA directory from the command prompt.
  3. Now add the 2 environment variables from the CMD under the C:\CA directory.
  4. Then type the “openssl” and press the enter key that will take you to the OpenSSL environment file following.

CA certificate creation:

  1. Generate the CA key file by using the following command.

    It generates a 4096-bit long RSA key for our root CA and stores it in file ca.key or you can also name it as ca.pem.
    If you want to protect this key with a password and encryption then add the then the command looks like the following.
  2. Now we will create a root CA certificate called ca.crt with the help of ca.key file using the following cmd, we also need to provide an identity while generating the root CA certificate.

    option is used for a self-signed certificate.
    -days 365 is the certificate valid for 1 year.
    -sha256 is the signature hashing algorithm if we will not provide this it consider sha1 as the signature hashing algorithm.
    -extensions v3_ca since we are creating a self-signed certificate using x509, the v3_ca defines the following extensions to add to a self-signed certificate. those are

Sever Certificate Creation:

  1. Generate a key file by using the following commands.
    the key encrypted with or and strong password.
  2. Generate signing request file with the following command.

    is optional if it is not passed then it will consider sha1 as default signature hashing.
    NOTE: While creating csr certificate it will ask common name that should be different from the name which we provide on CA certificate creation. otherwise, it will throw an error while creating the PKCS12 or .p12 file.
  3. Generate the server certificate with the following command. (Signing the certificate with the root ca)

    will set the custom serial number for the certificate, otherwise, it will generate the random serial number. In the above, I let the tool create a random serial number while generating the CA certificate, here it is setting the serial number as 01.

finally packing all certificates by using the following command.

In the end, we can take this .p12 file and can configure it to your websites to enable HTTPS.

Love to code in Java| NodeJs | ReactJs and my new girlfriend is Python