Create TLS/SSL self-signed certificates for server & client
— 5 min read
In this tutorial we will create a set of client and server certificates for local development purposes.
The general procedure to create signed (self-signed in this case) certificates is as follows. You create a main CA private key, create a signing request (CSR) out of it and let it signed by a certificate authoriy (CA). We will be our own CA for this tutorial.
Create Private Key --> Create CSR --> Submit to CA --> retrieve cert
We will create the following files during this tutorial:
- CA key file
ca-cert.key - CA certificate file
ca-cert.pem - Server certificate file
server-cert.pem - Server key file
server-key.pem - Client certificate file
client-cert.pem - Client key file
client-key.pem
Common Name
The Common Name (CN) is one of the key fields in certificates to check certification relations.
Create CA certificate (TLS/SSL)
With the CA Key and the CA certificate we can create and sign new client and server certificates.
Generate a new CA key:
openssl genrsa 4096 > ca-key.pem
- 4096 is the length of the key
Output:
Generating RSA private key, 4096 bit long modulus (2 primes)
..................++++
....................++++
e is 65537 (0x010001)
Generate the CA certificate (CSR & Cert in one step):
openssl req -new -x509 -nodes -days 365000 -key ca-key.pem -out ca-cert.pem
- x509 is the type of the certificate
- 365000 days is the validity time
Common Name
choose a correct CN for the certificate (e.g. "main")
Output:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:main
Email Address []:
You should have two files now:
ca-cert.pem- Certificate file for the Certificate Authority (CA)ca-key.pem- Key file for the Certificate Authority (CA)
Optional
You can also create a "merged" pem file out of two, which will be needed by some applications:
cat ca-cert.pem ca-key.pem > CA.pem
Create the server SSL certificate
Generate the Server Key and a Signing Request:
openssl req -newkey rsa:2048 -nodes -keyout server-key.pem -out server-req.pem -sha256
- sha256 is the algorithm (All others might be considered as insecure and applications could deny them)
Output:
Generating a RSA private key
..............................................+++++
...+++++
writing new private key to 'server-key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:server
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Convert server key to RSA format:
openssl rsa -in server-key.pem -out server-key.pem
Output:
writing RSA key
Sign the Server Certificate:
openssl x509 -req -in server-req.pem -days 365000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
Output:
Signature ok
subject=C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN = server
Getting CA Private Key
You should have two additional files now:
server-cert.pem- Server certificate fileserver-key.pem- Server private key file
Create the client TLS/SSL certificate
Common Name Keep in mind to choose a different CN then the server or the certificate (e.g. "client")
Generate client key and signing request:
openssl req -newkey rsa:2048 -nodes -keyout client-key.pem -out client-req.pem -sha256
Output:
Generating a RSA private key
..............................................+++++
...+++++
writing new private key to 'server-key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:client
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Convert Client key to RSA format:
openssl rsa -in client-key.pem -out client-key.pem
Output:
writing RSA key
Sign the client certificate:
openssl x509 -req -in client-req.pem -days 365000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem
Output:
Signature ok
subject=C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN = client
Getting CA Private Key
Verification
To verify that everything was successful, issue the following command:
openssl verify -CAfile ca-cert.pem server-cert.pem client-cert.pem
The output should be as the following:
server-cert.pem: OK
client-cert.pem: OK
Info
Before using the certificates for servers and clients, keep in mind to update the file permissions accordingly so that a server is able to read its contents.