Home » Security » Generating Keys, Certificate Requests, Self Signed Certs and Verifying them with OpenSSL

I spin up a lot of sites and after the work is all done the PM comes to me at launch and informs me he never got the required certificate he was supposed to.  Then he asks me to create it for him.  This happens so much I feel like it’s time to write a blog post to explain to him how to do it on his mac sitting right in front of him.  Feel free to send this link to your users that are constantly asking you to do these tasks as well

First you need to understand the basic overview of how HTTPS (SSL/TLS) works.    To create a SSL certificate you need to create three things.  First the private key, this private key is used by the webserver to decrypt traffic that comes in.  You will need to use this private key to generate a certificate signing requests.  This requests takes a finger print of your key and prepares a formal request that goes to the CA (The person who issues you the actual certificate) of your choosing.  This request is called the CSR or certificate signing request.  The CA or certificate authority is then supposed to verify you are who you say you are then they sign your CSR and return it to you.  This returned file is the certificate.

Note the following commands assume you have the openssl tools installed on your computer.  If you are using a mac or linux computer these are usually installed by default.

Step 1) Generate a private Key

openssl req -new  -newkey rsa:2048 -nodes -keyout yourdomain.com.key

So this is going to create a create a new RSA key that is 2048 bits long and has now passphrase (nodes).  If you require a passphrase on your cert ommit the -nodes.  Not that if your key has a passphrase you will need to be there to enter the password into your webserver each time it recycles. When you run this command it’s going to ask you several questions such as Country, State, City, Organization Name, Organization Unit Name, Common Name etc.  The country name should just be the two letter abbreviation, everything else should be fullname (Do not abbreviate).  The common name is the most important part of this step.  This needs to be the exact domain name you want for the certificate.  So if your site is www.yourdomain.com your common name should be www.yourdomain.com Then the CSR is created later that is the domain they are going to verify against.  Most CA’s are nice enough to make your certificate work with www and with just the base name.  Be sure to ask them to do that as it is very helpful.

Last you should be very careful with this key file.  It is your secret key that is used to decrypt data encrypted with your cert.  If someone else gets this then your SSL is useless and they can see all of your encrypted connections.  The only person you should ever share this private key with is your hosting company.  They will need the Key and the final cert to install into the webserver that will host your site.

Step 2) Create a CSR from your key

openssl req -out yourdomain.com.csr -key yourdomain.com.key -new

This command takes the previously created key and prepares the CSR we discussed earlier.  The yourdomain.csr will be the file you send to the CA to verify

Create a self signed certificate

If you will not be using an official certificate authority to sign your certificate then you can just do the famous self signed.  If you have a self signed certificate then you will get a warning when visiting the site that the certificate could not be validated.  What does that mean?  It ‘s simple browsers have a list of Certificate Authorities they trust, you are not one of them for by default they can’t say your trusted.  Fear not though, your data is still encrypted, it’s just saying you did this certificate your self and no verified you are who you say you are.

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout yourdomain.com.key -out yourdomain.com.crt

Leave a Reply

Your email address will not be published.