Self Signed SSL Certificates
Self signed SSL certificates can be generated using OpenSSL.
Steps[edit | edit source]
Private Key[edit | edit source]
Generate a new private key. The output will be a Privacy-Enhanced Mail (PEM) format.
## Generate a new private key
# openssl genrsa -out server.key 4096
Certificate Signing Request[edit | edit source]
Generate the certificate signing request.
# openssl req -new -sha256 \
-key server.key \
-subj "/C=CA/ST=Alberta/O=Steamr/CN=steamr.com" \
-reqexts SAN \
-extensions SAN \
-config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:x.steamr.com,DNS:y.steamr.com")) \
-out server.csr
The -subj
value contains:
Field | Description | Example |
---|---|---|
C | Country - The 2 letter International Standards Organization ISO abbreviation for your country | CA |
ST | State - The state or province of your organization | Alberta |
O | Organization - The legal name of the organization | Steamr Corp. |
CN | Common Name - The fully qualified domain name for the certificate | steamr.com |
Additionally, the [SAN]
section passed in through the -config
flag is used to define any SANs the certificate should have and can be removed if unneeded.
You can verify your CSR using:
# openssl req -noout -text -in server.csr
After you have verified your CSR, you can either continue to self sign with the next step, or submit it to a CA to purchase a SSL certificate.
Signing[edit | edit source]
Sign your certificate signing request.
# openssl x509 \
-req \
-days 730 \
-extfile <(printf "subjectAltName=DNS:x.steamr.com,DNS:y.steamr.com") \
-signkey server.key \
-in server.csr \
-out server.crt
The -days
value defines the number of days the certificate will be valid for from the time of signing. If not given, a default of 30 days will be used.
Any SANs will also need to be passed through using the -extfile
flag.
You can verify the signed certificate by running:
# openssl x509 -noout -text -in server.crt
Renewing[edit | edit source]
If the certificate has expired, you can 'renew' it by first regenerating a certificate signing request (CSR):
# openssl x509 -x509toreq -in expired_certificate.crt -out new_csr.csr -signkey domain_private.key
Then signing the CSR with the private key to produce a new certificate:
# openssl x509 -req -days 3650 -in new_csr.csr -signkey domain_private.key -out new_certificate.crt
Replace the expired certificate with the new certificate and reload any services that are using the certificate for it to be applied.
Trusting Your Self Signed SSL Certificates[edit | edit source]
The key and certificate generated with the steps above will not be signed by a trusted certificate authority and therefore cannot be verified by your browser, resulting in a security warning. To get around this, you can add your certificate directly into your browser or operating system's list of trusted certificate authorities.
See Also[edit | edit source]
|