Sunday, July 29, 2012

Creating A Self Signed Certificate

This is a very small tutorial for creating self signed certificates or creating a Certificate Signing Request (CSR) for forwarding it to a CA like Thawte or Verisign. Self signed certs are good for testing stuff like https. Here is how you can generate a self signed cert:

Step 1. Create a private key
We'll create a 2048 bit RSA key. You need to secure this key and make sure that it does not fall in wrong hands.

$ openssl genrsa -out my_server.key 2048

Generating RSA private key, 2048 bit long modulus
e is 65537 (0x10001)

Step 2. Create a Certificate Signing Request (CSR)
If you are going to buy a certificate signed from a CA then this CSR file is what you need to send. You need to fill in some details, technically X.509 attributes. "Common Name (eg, your name or your server's hostname)" needs to be the fqdn of your server for which you are getting the cert signed.

$ openssl req -new -key my_server.key -out my_server.csr

Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:Karnataka
Locality Name (eg, city) [Default City]:Bangalore
Organization Name (eg, company) [Default Company Ltd]:My Company
Organizational Unit Name (eg, section) []:My Team
Common Name (eg, your name or your server's hostname) []
Email Address []

A CSR will be generated after this step which can be shipped to any CA or proceed to next step to sign it yourself.

Step 3. Create a self signed certificate
Let us create a cert with 30 days validity. Note that this will throw up warnings in your browsers and curl may refuse to download anything from such websites unless you explicitly ask to ignore the cert.

$ openssl x509 -req -days 30 -in my_server.csr -signkey my_server.key -out my_server.crt

Signature ok

There! You have your cert. Now go play with it :)