Self-Signed Certificate and How to Create a Using OpenSSL
SSL is for Secure Socket Layer is To secure connection an SSL Certificate is used which is commonly used on web servers.
SSL Certificates mainly serve two functions:
- Authenticates the identity of the servers (so that users know that they are not sending their information to the wrong server).
- Encrypts the data that is being transmitted.
Mostly we use CA Certification Authority(Go-Daddy, Verisign, etc..) as a trusted certificate.
But we can also use a self-signed certificate.
Self Signed Certificate
A self-signed certificate is a certificate that is signed by its own creator rather than a trusted authority.
These are less trustworthy as an attacker can create a self-signed certificate and launch a middle attack.
Self-signed certificates in scenarios like:
1) Intranet.
2) Personal sites with few visitors.
3) Development or Testing phase of the application.
Don't use a self-signed certificate for the application that transmits critical data.
How to Create a Self-Signed Certificate Using OpenSSL
OpenSSL is a command-line tool that is used for TLS (Transport Layer Security) and SSL (Secure Socket Layer) protocols.
On Linux please run below commands:
1) openssl genrsa -out server.key 2048 ---> Generate Private key
2) openssl req -new -key server.key -out server.csr ---> Generate a Certificate Signing Request CSR.
3) openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt ---> Self sign the Certificate
[root@oel7 ~]# pwd /root [root@oel7 ~]# mkdir certificates [root@oel7 ~]# pwd /root [root@oel7 ~]# cd certificates/ [root@oel7 certificates]# openssl genrsa -out server.key 2048 Generating RSA private key, 2048 bit long modulus ....+++ ................+++ e is 65537 (0x10001) [root@oel7 certificates]# ls -ltr total 4 -rw-r--r-- 1 root root 1679 Mar 28 18:09 server.key [root@oel7 certificates]# openssl req -new -key server.key -out server.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:IN State or Province Name (full name) []:Delhi Locality Name (eg, city) [Default City]:Delhi Organization Name (eg, company) [Default Company Ltd]:Funoracleapps Ltd Organizational Unit Name (eg, section) []:IT Common Name (eg, your name or your server's hostname) []:*.lab Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: [root@oel7 certificates]# ls -ltr total 8 -rw-r--r-- 1 root root 1679 Mar 28 18:09 server.key -rw-r--r-- 1 root root 1001 Mar 28 18:11 server.csr [root@oel7 certificates]# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt Signature ok subject=/C=IN/ST=Delhi/L=Delhi/O=Funoracleapps Ltd/OU=IT/CN=*.lab Getting Private key [root@oel7 certificates]# ls -ltr total 12 -rw-r--r-- 1 root root 1679 Mar 28 18:09 server.key -rw-r--r-- 1 root root 1001 Mar 28 18:11 server.csr -rw-r--r-- 1 root root 1200 Mar 28 18:12 server.crt
I am giving *.domain_name as the CN name to use for multiple servers within the domain.
Post a Comment
Post a Comment