Oleksandr Gavenko's blog
2020-11-08 00:00 Generate a self-signed certificate

openssl allows to generate self-signed certificate by a single command (-newkey instructs to generate a private key and -x509 instructs to issue a self-signed certificate instead of a signing request):

openssl req -x509 -newkey rsa:4096 \
  -keyout my.key -passout pass:123456 -out my.crt \
  -days 365 \
  -subj /CN=localhost/O=home/C=US/emailAddress=me@mail.internal \
  -addext "subjectAltName = DNS:localhost,DNS:web.internal,email:me@mail.internal" \
  -addext keyUsage=digitalSignature -addext extendedKeyUsage=serverAuth

You can generate a private key and construct a self-signing certificate in separate steps:

openssl genrsa -out my.key -passout pass:123456 2048

openssl req -x509 \
  -key my.key -passin pass:123456 -out my.csr \
  -days 3650 \
  -subj /CN=localhost/O=home/C=US/emailAddress=me@mail.internal \
  -addext "subjectAltName = DNS:localhost,DNS:web.internal,email:me@mail.internal" \
  -addext keyUsage=digitalSignature -addext extendedKeyUsage=serverAuth

Review the resulting certificate:

openssl x509 -text -noout -in my.crt

With openssl we can add an extra step:

  • generate private key (openssl genrsa)

  • generate CSR (openssl req -new)

  • sign CSR with private key (openssl x509)

The problem here is that openssl x509 doesn't support -addext like option so we need to craft a config file... Of cause with Bash syntax <(...) we can add required extensions:

openssl genrsa -out my.key -passout pass:123456 2048

openssl req -new \
  -key my.key -passin pass:123456 -out my.csr \
  -subj /CN=localhost/O=home/C=US/emailAddress=me@mail.internal

openssl x509 -req \
  -in my.csr -signkey my.key -passin pass:123456 -out my.crt \
  -days 3650 -CAcreateserial \
  -extensions v3_ca \
  -extfile <( \
    echo "[v3_ca]"; \
    echo "extendedKeyUsage=serverAuth"; \
    echo "subjectAltName=DNS:localhost,DNS:web.internal,email:me@mail.internal")

Java keytool creates PKCS#12 store:

keytool -genkeypair -keystore my.p12 -alias master \
  -storetype pkcs12 -keyalg RSA -keysize 2048 -validity 3650 \
  -storepass 123456 \
  -dname "CN=localhost,O=home,C=US" \
  -ext 'san=dns:localhost,dns:web.internal,email:me@mail.internal'

To export the self-signed certificate:

keytool -exportcert -keystore my.p12 -file my.crt \
  -alias master -rfc -storepass 123456

Review the resulting certificate:

keytool -printcert -file my.crt
https://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl/64733092#64733092

How to create a self-signed certificate with OpenSSL.

Use a private key and corresponding self-signed certificate to launch a server:

openssl s_server -accept 8000 -www -key my.key -cert my.crt

Clients should use self-signed certificate for verification:

echo | openssl s_client -servername localhost -connect localhost:8000 -CAfile my.crt

curl -v --cacert my.crt https://localhost:8000

There is no certificate chain so the check is trivial for self-signed certificates...

tls, security

Feeds

all / emacs / java / python

Tags

adb(1), admin(1), android(1), anki(1), ansible(2), blog(1), c(1), css(2), cygwin(2), driver(1), emacs(3), fs(1), git(3), google(1), gradle(1), hardware(1), hg(2), html(1), interview(13), java(3), js(3), lang(2), lighttpd(1), mobile(1), naming(1), oracle(1), print(1), problem(5), quiz(6), rst(1), security(3), spring(1), sql(2), srs(1), style(1), tls(2), unit(1), utils(1), vcs(3), web(2), win(2), windows(1)

Archive