Create self signed certificates

Create self signed certificates

In this article, I will show you how to create your own Certificate Authority (CA) and sign self signed certificates. I will be generating certificates for my site infimantra.com.

Tasks

  • In this article, we will create our own Certificate Authority (CA) and sign certificates for the internal domains.
  • We will first create an internal CA to sign certificates for other internal domains. CA will have its own certificate which we will have to include inside the certificate’s store (Browser or system based) for testing.
  • We will create a wildcard self signed certificate for the domain *.infimantra.com. The certificate will be signed by our internal CA.
  • We will renew the certificate of the domain *.infimantra.com.
  • You will have to change my domain with yours.

Reference

https://www.openssl.org/docs/man1.1.1/man5/x509v3_config.html

https://www.openssl.org/docs/man1.0.2/man1/openssl-req.html

Create the CA’s own self-signed certificate

Create a file ca.conf with the contents given below. This file will be used to generate the certificate for the CA. For details about the options in the ca.conf file follow the links mentioned in the reference section of this page.

[ req ]
default_bits = 2048
default_keyfile = ca.key
encrypt_key = no
default_md = sha256
prompt = no
utf8 = yes

distinguished_name = ca_distinguished_name
x509_extensions = ca_extensions

[ ca_distinguished_name ]
C=IN
ST=Karnataka
L=Bangalore
O=InfiMantraOrgCA
OU=InfiMantraOrgCA
CN=InfiMantraOrgCA

[ ca_extensions ]
keyUsage=critical, digitalSignature, keyEncipherment, keyCertSign
basicConstraints=critical,CA:TRUE
extendedKeyUsage=critical,serverAuth
subjectKeyIdentifier = hash

Run the command given below to create a certificate for the CA which will be valid for 10 years.

$ openssl req -new -x509 -days 3650 -config ca.conf -out ca.crt
$ ls
ca.conf ca.crt  ca.key

You will be in possession of 3 files

  • ca.conf: (as mentioned above)
  • ca.cert: CA own certificate.
  • ca.key: Private key for the CA certificate

Next, create a file sign.ca.conf with the contents given. This file will be used to sign client certificates. For more details about the options in the sign.ca.conf file follow the links mentioned in the reference section of this page.

[ ca ]
default_ca = org_ca

[ org_ca ]
serial = ./serial
database = ./index.txt
new_certs_dir = ./newcerts
certificate = ./ca.crt
private_key = ./ca.key
default_md = sha256
default_days = 365
policy = ca_policy

[ ca_policy ]
countryName = match
stateOrProvinceName = supplied
organizationName = supplied
commonName = supplied
organizationalUnitName = optional
commonName = supplied

Initialise the files and folders required for the signing procedure:

$ echo '01' > serial
$ touch index.txt
$ mkdir newcerts

Your directory structure should look like below.

$ ls
ca.conf      ca.crt       ca.key       index.txt    newcerts     serial       sign.ca.conf

Create CSR for the client certificate

Create a file infimantra.com.conf with the contents given below. This file will be used to generate the CSR for the client certificate. For details about the options in the infimantra.com.conf file follow the links mentioned in the reference section of this page.

[ req ]
default_bits = 2048
default_keyfile = infimantra.com.key
encrypt_key = no
default_md = sha256
prompt = no
utf8 = yes
distinguished_name = infimantra_req_distinguished_name
req_extensions = infimantra_extensions

[ infimantra_req_distinguished_name ]
C=IN
ST=Karnataka
L=Bangalore
O=InfiMantra Org
OU=InfiMantra Org
CN=infimantra.com

[ infimantra_extensions ]
keyUsage=critical, digitalSignature, keyEncipherment
basicConstraints=critical,CA:FALSE
extendedKeyUsage=critical,serverAuth
subjectAltName=@infimantra_subject_alt_names
subjectKeyIdentifier = hash

[ infimantra_subject_alt_names ]
DNS.1 = *.infimantra.com
DNS.2 = infimantra.com

Generate the client Certificate Signing Request (CSR)

$ openssl req -new -out infimantra.com.csr -config infimantra.com.conf
$ ls infimantra*
infimantra.com.conf infimantra.com.csr  infimantra.com.key

Sign the client’s certificate

Now, we sign the client certificate using the client CSR, CA’s sign.ca.conf.

$ openssl ca -config sign.ca.conf -extfile infimantra.com.conf -extensions infimantra_extensions -out infimantra.com.crt -infiles infimantra.com.csr
$ ls infimantra*
infimantra.com.conf infimantra.com.crt  infimantra.com.csr  infimantra.com.key

Client’s certificate is stored in infimantra.com.crt file. We can use the openssl command to inspect the certificate.

$ openssl x509 -in infimantra.com.crt -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=IN, ST=Karnataka, L=Bangalore, O=InfiMantraOrgCA, OU=InfiMantraOrgCA, CN=InfiMantraOrgCA
        Validity
            Not Before: Jul  9 18:05:36 2022 GMT
            Not After : Jul  9 18:05:36 2023 GMT
        Subject: C=IN, ST=Karnataka, O=InfiMantra Org, OU=InfiMantra Org, CN=infimantra.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:e7:f7:f0:99:98:a2:86:e9:a0:78:9c:e8:3e:25:
                    bd:33:87:88:05:c2:7f:39:0c:1d:2c:80:ad:bd:26:
                    f6:c9:41:5e:df:75:51:d1:d6:dc:ed:3a:c1:e2:be:
                    9b:c6:96:55:5b:52:da:ec:d4:de:31:12:0f:45:ab:
                    7c:82:78:b4:10:62:8a:aa:84:60:48:86:95:78:71:
                    f6:8d:ed:98:57:78:12:05:32:f3:db:bb:d1:b2:5c:
                    0e:54:fd:32:33:e3:55:69:63:04:25:ca:4c:59:5f:
                    4e:2d:c8:e1:ab:5d:4d:d5:f3:e0:48:3c:37:da:fb:
                    d5:8b:23:d1:38:2a:8c:8e:85:4b:0f:cf:72:4b:2a:
                    f3:66:e1:1a:20:87:9c:60:53:1b:be:de:43:b9:83:
                    41:77:c1:19:d7:7a:aa:94:54:90:85:68:a9:89:05:
                    a2:9e:a0:e4:0f:af:c1:e0:4e:6c:8a:37:e1:84:7c:
                    55:84:21:1e:3e:84:0b:52:29:de:83:6b:bf:e4:90:
                    30:00:f7:c3:13:92:26:8c:c9:a4:6a:31:b6:da:da:
                    2e:09:47:b7:96:39:79:e1:6a:a2:e8:e5:cb:09:b1:
                    e4:7f:b8:13:0c:75:e8:92:99:fd:c8:09:83:e3:03:
                    01:ea:ff:87:c1:a5:de:ac:9e:a1:14:ec:81:70:56:
                    e9:a1
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Extended Key Usage: critical
                TLS Web Server Authentication
            X509v3 Subject Alternative Name:
                DNS:*.infimantra.com, DNS:infimantra.com
            X509v3 Subject Key Identifier:
                C2:4B:A3:D4:BF:99:31:18:23:E7:05:F1:14:11:9E:C2:D6:84:95:1F
    Signature Algorithm: sha256WithRSAEncryption
         79:58:c7:b6:a8:83:b9:de:ce:6a:04:ee:e2:9e:2d:bf:ab:3e:
         fd:62:53:6f:dd:3b:3a:0f:ce:3a:8f:f3:80:6d:de:45:e5:c2:
         4b:61:c2:90:8b:0a:46:96:36:6c:a6:a7:f8:5f:74:d5:f0:22:
         98:2d:0b:bc:25:df:3a:53:8e:9a:a0:d7:b6:98:45:29:03:0c:
         e8:c6:d1:3f:e4:94:03:a4:2c:a4:53:69:2a:a7:f2:da:78:b0:
         0e:62:fc:0b:77:15:e7:99:4f:0f:9a:65:2f:24:20:41:70:ad:
         4d:c2:42:e9:ad:09:f5:14:11:c9:7d:cf:e7:09:61:a8:3e:0f:
         4a:56:bb:2f:d8:74:ac:5d:17:9f:ff:08:41:48:a7:ee:3d:15:
         51:73:ce:b6:66:b9:29:77:61:1a:30:e4:3f:e6:76:65:49:df:
         d4:fc:db:6c:ec:29:61:25:5f:09:aa:b0:5e:0e:e1:56:e6:b7:
         dc:98:31:a5:75:0f:fe:80:f1:99:92:cd:8a:41:ad:44:17:74:
         07:c3:65:90:67:73:7d:ac:b2:0d:f0:93:67:77:a4:1b:d5:d5:
         d5:58:4e:97:95:f3:ba:8e:82:0d:e2:fd:5d:8c:7e:aa:b2:81:
         c1:29:47:9d:fa:20:21:48:07:16:65:73:20:e8:6a:49:13:a0:
         b2:91:7b:05

The certificate is valid till Jul 9 18:05:36 2023 GMT (1 year validity). Similarly, we can also inspect the CA certificate (ca.crt) which is valid for 10 years. Interesting thing to note is the serial file. The value is incremented by 1. Serial Number: 1 (0x1) is for the wildcard client certificate.

$ cat serial
02

Leave a Reply