Generate Self-Signed SSL Cert

Quick guid on how to generate a self-signed ssl cert

Hope it helps

OpenSSL Tool:

Most of the time you'll have openssl on your Linux system.

If it was missing you can install it.

On Debian/Ubuntu:

sudo apt install openssl

On RHEL8/9:

sudo dnf install openssl

To verify the installations:

openssl --version

1. Generate CA Certificate And Trust It On The System

In order to generate a CA first we need to generate CA's key.

To do it we can execute the following command on the terminal:

openssl genrsa -out CA.key 2048

Where:

• genrsa: Generates a key using RSA encryption algorythem.
• -out: Specifies the key name.
• 2048: The key size in bits. More the bits are, More secure your key will be.

Now that we have the CA key we need to generate CA certificate.

In order to do that:

openssl req -x509 -new -key CA.key -out CA.pem -days 365

Where:

• req: Starts a certificate request generation.
• x509: By using this switch openssl skips the CSR step generates a self-signed root CA.
• -new: The combination with req -x509 switches tell openssl to create a new certificate.
• -key: Specifies the private key we generated in the previuse step.
• -out: Spencifies the certificate Name.
• -days: Validation duration.

Note: We can create certificate and its key in one step using -keyout Key_Name.key option instead of -key.

After executing the command you'll be prompted for some information such as Country Name, State or Province Name, Locality Name, Organization Name, Organization Unit Name, Common Name and Email Address

Now we have CA and its key.

It's time to trust them on our local system.

On Debian/Ubuntu:

sudo cp CA.pem /usr/local/share/ca-certificates/CA.pem

On RHEL:

sudo cp CA.pem /etc/pki/ca-trust/source/anchors/CA.pem

The best practice is to put the private key in the following locations too.

Debian/Ubuntu: /etc/ssl/private/
RHEL: /etc/pki/CA/private/

After locating them properly, By executing the following command the list of trusted CA's will be updated:

Debian/Ubuntu: sudo update-ca-certificates
RHEL: sudo update-ca-trust

2. Generate CSR

CSR contains a public key and metadata (such as domain name, OU and ...) and is used to request a certificate from a CA.

First we need to generate a private key for our certificate just like we did for the CA:

openssl genrsa -out server.key 2048

Now to get the CSR we need to execute the following command:

openssl req -new -key server.key -out server.csr

Where:

• req -new: This combination is used to create CSR. If -x509 is used it'll turn into generating self-signed CA.

3. Create Certificate Extension File

This step is optional but it's suggested.

Extension files have .ext postfix and they look like:

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names

[alt_names]
DNS.1 = example.com
DNS.2 = www.example.com
IP.1 = 192.168.1.1

Component Breakdown:

• authorityKeyIdentifier: Links the certificate to the issuing CA by key ID and issuer name. Also enables the certificate chain validation.
• basicConstraints: Specifies whether the cert can be a CA and sign other certificates or no. By setting it to CA:False It would not be a CA and if set to CA:True It will be. Also if set to true you can specify pathlen:NUM to set a limit on chain depth.
• keyUsage: This defines which cryptographic operations the certificates public key is allowed to perform. Operations are listed below.
• extendedKeyUsage: This gives us more operations than keyUsage. They're listed below.
• subjectAltName: Defines additional identities like DNS names and IP addresses and emails.

keyUsage operations list:

digitalSignature: Allows use for signing like TLS handshake.
-
nonRepudiation: Ensures the signer cannot deny having signed.
-
keyEncipherment: Allows encrypting symmetric keys used in TLS key exchange.
-
dataEncipherment: Allows direct encrypting on data.
-
keyAgreement: Allows key exchange protocols like Diffie-Hellman. 
-
keyCertSign: Required for CAs to sign other certs.
-
cRLSign: Allows signing certificate revocation list.
-
encipherOnly: Used only with keyAgreement which limits to encryption.
-
decipherOnly: Used only with keyAgreement which limits to deencryption.

extendedKeyUsage operations list:

serverAuth: Used to authenticate a TLS/SSL server like HTTPS websites.
-
clientAuth: Used to authenticate TLS clients.
-
codeSigning: For digitally signing software/code.
-
emailProtection: For signing or encrypting email.
-
timeStamping: For trusted timestamps like legal documents.
-
OCSPSigning: For signing OCSP responses.

4. Generating The Certificate

Now that we have every thing lets generate our certificate.

Execute the following command.

openssl x509 -req -in server.csr -CA /path/to/CA.pem -CAkey /path/to/CA.key -CAcreateserial -out server.pem -days 365 -sha256 -extfile server.ext

Command Breakdown:

• x509: Tells openssl to create a x.509 certificate.
• -req: Indicates the input is a CSR file.
• -in: Specifies the input.
• -CA: Specifies the self-signed CA used to sign CSR.
• -CAkey: Specifies the private key of the CA to digitally sign the certificate.
• CAcreateserial: Creates serialnumber file like myCA.srl for tracking issued certs. -sha256: Uses SHA256 hashing algorithm for signing the certificate. -exrfile: Specifies the extention file.